Re: [EXTERNAL] BlazeDS release
Hi Spiros, Thanks! I will look into that soon. pon., 5 wrz 2022 o 10:58 spiros napisał(a): > Hi , > This library used by 4 classes ( only the org.apache.xpath.CachedXPathAPI); > > 1. flex.messaging.config.ApacheXPathClientConfigurationParser.java > (common). > 2. flex.messaging.config.ApacheXPathServerConfigurationParser.java (core). > 3. flex.messaging.io.amf.MessageGenerator.java (core-test) > 4. flex.messaging.io.amfx.DeserializationConfirmation.java (core-test) > > > > The 1 and 2 classes add support to xml for java JRE 1.4 you can see the: > flex.messaging.config.ServicesDependencies.java (common) line 219 -236 > function static ConfigurationParser getConfigurationParser(String > className) for first. > And > flex.messaging.config.FlexConfigurationManager.java (core) line 105-118 > function private ConfigurationParser getConfigurationParser(ServletConfig > servletConfig) > > for the classes 3 and 4 (test) : > the class flex.messaging.config.XPathServerConfigurationParser.java > (common) is a guide to modify the code > > My suggestion : > -Remove support for JRE 1.4 -too old > -delete classes 1,2 > -modify classes 3,4 , > Optionally modify classes :flex.messaging.config.ServicesDependencies.java > and flex.messaging.config.FlexConfigurationManager.java > > > > Spiros > > > > > -Original Message- > From: Piotr Zarzycki [mailto:piotrzarzyck...@gmail.com] > Sent: Tuesday, August 30, 2022 9:57 AM > To: dev@flex.apache.org > Subject: Re: [EXTERNAL] BlazeDS release > > Maybe there is some replacement for both of that ? What do you think ? > > pt., 26 sie 2022 o 12:53 Piotr Zarzycki > napisał(a): > > > Hi guys, > > > > Unfortunately both version of these plugins doesn't have newer versions. > > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. > > Any suggestions? > > > > Thanks, > > Piotr > > > > pon., 22 sie 2022 o 10:44 Piotr Zarzycki > > napisał(a): > > > >> Hi Chris and All, > >> > >> I will try to upgrade dependencies myself this week. I will let you know > >> here how it goes. > >> > >> Thanks, > >> Piotr > >> > >> wt., 16 sie 2022 o 14:46 Christofer Dutz > >> napisał(a): > >> > >>> Well … > >>> > >>> you might not, but a malicious attacker might. > >>> I think the last few releases of BlazeDS, that I did in the past were > >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, > for > >>> example, a malicious attacker could embed xml using xml-entities that > >>> referenced protected resources on the server and the BlazeDS server > just > >>> resolved them exposing this protected information. > >>> > >>> However, I think I remember I turned off the xml processing of external > >>> resources per default. I probably this problem would not apply in very > many > >>> cases. > >>> > >>> However, this seems to be a pretty new vulnerability, as I wasn’t > >>> getting it when I started the branch. So, I would advise to look, if a > >>> newer version is available and simply switch to that. If you need help > with > >>> that … give me a ping. Should be a matter of 5 minutes. > >>> > >>> Chris > >>> > >>> > >>> From: Tom Chiverton > >>> Date: Tuesday, 16 August 2022 at 12:20 > >>> To: dev@flex.apache.org , Brian Raymes < > >>> brian.ray...@teotech.com> > >>> Subject: Re: [EXTERNAL] BlazeDS release > >>> The issue there is when processing malicious XSLT. > >>> > >>> We don't pass untrusted XSLT to it ? > >>> > >>> Tom > >>> > >>> On 15/08/2022 22:36, Brian Raymes wrote: > >>> > Seems like those dependencies need to be replaced due to > >>> vulnerabilities, as the Apache Xalan project has been retired: > >>> > > >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf > >>> > > >>> > > >>> > > >>> > -Original Message- > >>> > From: Piotr Zarzycki > >>> > Sent: Sunday, August 14, 2022 3:26 AM > >>> > To: dev@flex.apache.org > >>> > Subject: [EXTERNAL] BlazeDS release > >>> > > >>> > Hi All, > >>> > > >>> > In this thread I will be reporting updates related to release of > >>> Bla
RE: [EXTERNAL] BlazeDS release
Hi , This library used by 4 classes ( only the org.apache.xpath.CachedXPathAPI); 1. flex.messaging.config.ApacheXPathClientConfigurationParser.java (common). 2. flex.messaging.config.ApacheXPathServerConfigurationParser.java (core). 3. flex.messaging.io.amf.MessageGenerator.java (core-test) 4. flex.messaging.io.amfx.DeserializationConfirmation.java (core-test) The 1 and 2 classes add support to xml for java JRE 1.4 you can see the: flex.messaging.config.ServicesDependencies.java (common) line 219 -236 function static ConfigurationParser getConfigurationParser(String className) for first. And flex.messaging.config.FlexConfigurationManager.java (core) line 105-118 function private ConfigurationParser getConfigurationParser(ServletConfig servletConfig) for the classes 3 and 4 (test) : the class flex.messaging.config.XPathServerConfigurationParser.java (common) is a guide to modify the code My suggestion : -Remove support for JRE 1.4 -too old -delete classes 1,2 -modify classes 3,4 , Optionally modify classes :flex.messaging.config.ServicesDependencies.java and flex.messaging.config.FlexConfigurationManager.java Spiros -Original Message- From: Piotr Zarzycki [mailto:piotrzarzyck...@gmail.com] Sent: Tuesday, August 30, 2022 9:57 AM To: dev@flex.apache.org Subject: Re: [EXTERNAL] BlazeDS release Maybe there is some replacement for both of that ? What do you think ? pt., 26 sie 2022 o 12:53 Piotr Zarzycki napisał(a): > Hi guys, > > Unfortunately both version of these plugins doesn't have newer versions. > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. > Any suggestions? > > Thanks, > Piotr > > pon., 22 sie 2022 o 10:44 Piotr Zarzycki > napisał(a): > >> Hi Chris and All, >> >> I will try to upgrade dependencies myself this week. I will let you know >> here how it goes. >> >> Thanks, >> Piotr >> >> wt., 16 sie 2022 o 14:46 Christofer Dutz >> napisał(a): >> >>> Well … >>> >>> you might not, but a malicious attacker might. >>> I think the last few releases of BlazeDS, that I did in the past were >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for >>> example, a malicious attacker could embed xml using xml-entities that >>> referenced protected resources on the server and the BlazeDS server just >>> resolved them exposing this protected information. >>> >>> However, I think I remember I turned off the xml processing of external >>> resources per default. I probably this problem would not apply in very many >>> cases. >>> >>> However, this seems to be a pretty new vulnerability, as I wasn’t >>> getting it when I started the branch. So, I would advise to look, if a >>> newer version is available and simply switch to that. If you need help with >>> that … give me a ping. Should be a matter of 5 minutes. >>> >>> Chris >>> >>> >>> From: Tom Chiverton >>> Date: Tuesday, 16 August 2022 at 12:20 >>> To: dev@flex.apache.org , Brian Raymes < >>> brian.ray...@teotech.com> >>> Subject: Re: [EXTERNAL] BlazeDS release >>> The issue there is when processing malicious XSLT. >>> >>> We don't pass untrusted XSLT to it ? >>> >>> Tom >>> >>> On 15/08/2022 22:36, Brian Raymes wrote: >>> > Seems like those dependencies need to be replaced due to >>> vulnerabilities, as the Apache Xalan project has been retired: >>> > >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf >>> > >>> > >>> > >>> > -Original Message- >>> > From: Piotr Zarzycki >>> > Sent: Sunday, August 14, 2022 3:26 AM >>> > To: dev@flex.apache.org >>> > Subject: [EXTERNAL] BlazeDS release >>> > >>> > Hi All, >>> > >>> > In this thread I will be reporting updates related to release of >>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy >>> module from upcoming release. Please let me know in this thread whether you >>> have anything against it. >>> > >>> > Meanwhile I have following error on the console during build - Anyone >>> know what that means ? >>> > >>> > One or more dependencies were identified with known vulnerabilities in >>> > flex-messaging-common: >>> > >>> > >>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >>
Re: [EXTERNAL] BlazeDS release
Maybe there is some replacement for both of that ? What do you think ? pt., 26 sie 2022 o 12:53 Piotr Zarzycki napisał(a): > Hi guys, > > Unfortunately both version of these plugins doesn't have newer versions. > The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. > Any suggestions? > > Thanks, > Piotr > > pon., 22 sie 2022 o 10:44 Piotr Zarzycki > napisał(a): > >> Hi Chris and All, >> >> I will try to upgrade dependencies myself this week. I will let you know >> here how it goes. >> >> Thanks, >> Piotr >> >> wt., 16 sie 2022 o 14:46 Christofer Dutz >> napisał(a): >> >>> Well … >>> >>> you might not, but a malicious attacker might. >>> I think the last few releases of BlazeDS, that I did in the past were >>> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for >>> example, a malicious attacker could embed xml using xml-entities that >>> referenced protected resources on the server and the BlazeDS server just >>> resolved them exposing this protected information. >>> >>> However, I think I remember I turned off the xml processing of external >>> resources per default. I probably this problem would not apply in very many >>> cases. >>> >>> However, this seems to be a pretty new vulnerability, as I wasn’t >>> getting it when I started the branch. So, I would advise to look, if a >>> newer version is available and simply switch to that. If you need help with >>> that … give me a ping. Should be a matter of 5 minutes. >>> >>> Chris >>> >>> >>> From: Tom Chiverton >>> Date: Tuesday, 16 August 2022 at 12:20 >>> To: dev@flex.apache.org , Brian Raymes < >>> brian.ray...@teotech.com> >>> Subject: Re: [EXTERNAL] BlazeDS release >>> The issue there is when processing malicious XSLT. >>> >>> We don't pass untrusted XSLT to it ? >>> >>> Tom >>> >>> On 15/08/2022 22:36, Brian Raymes wrote: >>> > Seems like those dependencies need to be replaced due to >>> vulnerabilities, as the Apache Xalan project has been retired: >>> > >>> > https://github.com/advisories/GHSA-9339-86wc-4qgf >>> > >>> > >>> > >>> > -Original Message- >>> > From: Piotr Zarzycki >>> > Sent: Sunday, August 14, 2022 3:26 AM >>> > To: dev@flex.apache.org >>> > Subject: [EXTERNAL] BlazeDS release >>> > >>> > Hi All, >>> > >>> > In this thread I will be reporting updates related to release of >>> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy >>> module from upcoming release. Please let me know in this thread whether you >>> have anything against it. >>> > >>> > Meanwhile I have following error on the console during build - Anyone >>> know what that means ? >>> > >>> > One or more dependencies were identified with known vulnerabilities in >>> > flex-messaging-common: >>> > >>> > >>> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >>> > >>> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, >>> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >>> > >>> > >>> > >>> > See the dependency-check report for more details. >>> > >>> > >>> > >>> > [*INFO*] >>> > >>> ** >>> > >>> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* >>> > >>> > [*INFO*] >>> > >>> > [*INFO*] Apache Flex - BlazeDS .. >>> > *SUCCESS* [ 5.914 >>> > s] >>> > >>> > [*INFO*] flex-messaging-archetypes .. >>> > *SUCCESS* [ 1.409 >>> > s] >>> > >>> > [*INFO*] blazeds-spring-boot-example-archetype .. >>> > *SUCCESS* [ 4.430 >>> > s] >>> > >>> > [*INFO*] flex-messaging-common .. >>> > *FAILURE* [ 2.155 >>> > s] >>> > >>> > [*INFO*] flex-messaging-core *SKIPPED* >>>
Re: [EXTERNAL] BlazeDS release
Hi guys, Unfortunately both version of these plugins doesn't have newer versions. The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. Any suggestions? Thanks, Piotr pon., 22 sie 2022 o 10:44 Piotr Zarzycki napisał(a): > Hi Chris and All, > > I will try to upgrade dependencies myself this week. I will let you know > here how it goes. > > Thanks, > Piotr > > wt., 16 sie 2022 o 14:46 Christofer Dutz > napisał(a): > >> Well … >> >> you might not, but a malicious attacker might. >> I think the last few releases of BlazeDS, that I did in the past were >> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for >> example, a malicious attacker could embed xml using xml-entities that >> referenced protected resources on the server and the BlazeDS server just >> resolved them exposing this protected information. >> >> However, I think I remember I turned off the xml processing of external >> resources per default. I probably this problem would not apply in very many >> cases. >> >> However, this seems to be a pretty new vulnerability, as I wasn’t getting >> it when I started the branch. So, I would advise to look, if a newer >> version is available and simply switch to that. If you need help with that >> … give me a ping. Should be a matter of 5 minutes. >> >> Chris >> >> >> From: Tom Chiverton >> Date: Tuesday, 16 August 2022 at 12:20 >> To: dev@flex.apache.org , Brian Raymes < >> brian.ray...@teotech.com> >> Subject: Re: [EXTERNAL] BlazeDS release >> The issue there is when processing malicious XSLT. >> >> We don't pass untrusted XSLT to it ? >> >> Tom >> >> On 15/08/2022 22:36, Brian Raymes wrote: >> > Seems like those dependencies need to be replaced due to >> vulnerabilities, as the Apache Xalan project has been retired: >> > >> > https://github.com/advisories/GHSA-9339-86wc-4qgf >> > >> > >> > >> > -Original Message- >> > From: Piotr Zarzycki >> > Sent: Sunday, August 14, 2022 3:26 AM >> > To: dev@flex.apache.org >> > Subject: [EXTERNAL] BlazeDS release >> > >> > Hi All, >> > >> > In this thread I will be reporting updates related to release of >> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy >> module from upcoming release. Please let me know in this thread whether you >> have anything against it. >> > >> > Meanwhile I have following error on the console during build - Anyone >> know what that means ? >> > >> > One or more dependencies were identified with known vulnerabilities in >> > flex-messaging-common: >> > >> > >> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, >> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >> > >> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, >> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >> > >> > >> > >> > See the dependency-check report for more details. >> > >> > >> > >> > [*INFO*] >> > >> ** >> > >> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* >> > >> > [*INFO*] >> > >> > [*INFO*] Apache Flex - BlazeDS .. >> > *SUCCESS* [ 5.914 >> > s] >> > >> > [*INFO*] flex-messaging-archetypes .. >> > *SUCCESS* [ 1.409 >> > s] >> > >> > [*INFO*] blazeds-spring-boot-example-archetype .. >> > *SUCCESS* [ 4.430 >> > s] >> > >> > [*INFO*] flex-messaging-common .. >> > *FAILURE* [ 2.155 >> > s] >> > >> > [*INFO*] flex-messaging-core *SKIPPED* >> > >> > [*INFO*] flex-messaging-proxy ... *SKIPPED* >> > >> > [*INFO*] flex-messaging-remoting *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt . *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt-tomcat .. *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt-tomcat-base . *SKIPPED* >> > >> > [*INFO*] >> > >> *
Re: [EXTERNAL] BlazeDS release
Hi Chris and All, I will try to upgrade dependencies myself this week. I will let you know here how it goes. Thanks, Piotr wt., 16 sie 2022 o 14:46 Christofer Dutz napisał(a): > Well … > > you might not, but a malicious attacker might. > I think the last few releases of BlazeDS, that I did in the past were > reacting to CVEs reported in the XML processing part of BlazeDS. Here, for > example, a malicious attacker could embed xml using xml-entities that > referenced protected resources on the server and the BlazeDS server just > resolved them exposing this protected information. > > However, I think I remember I turned off the xml processing of external > resources per default. I probably this problem would not apply in very many > cases. > > However, this seems to be a pretty new vulnerability, as I wasn’t getting > it when I started the branch. So, I would advise to look, if a newer > version is available and simply switch to that. If you need help with that > … give me a ping. Should be a matter of 5 minutes. > > Chris > > > From: Tom Chiverton > Date: Tuesday, 16 August 2022 at 12:20 > To: dev@flex.apache.org , Brian Raymes < > brian.ray...@teotech.com> > Subject: Re: [EXTERNAL] BlazeDS release > The issue there is when processing malicious XSLT. > > We don't pass untrusted XSLT to it ? > > Tom > > On 15/08/2022 22:36, Brian Raymes wrote: > > Seems like those dependencies need to be replaced due to > vulnerabilities, as the Apache Xalan project has been retired: > > > > https://github.com/advisories/GHSA-9339-86wc-4qgf > > > > > > > > -Original Message- > > From: Piotr Zarzycki > > Sent: Sunday, August 14, 2022 3:26 AM > > To: dev@flex.apache.org > > Subject: [EXTERNAL] BlazeDS release > > > > Hi All, > > > > In this thread I will be reporting updates related to release of > BlazeDS. I looked into Chris's branch and I would like to exclude Proxy > module from upcoming release. Please let me know in this thread whether you > have anything against it. > > > > Meanwhile I have following error on the console during build - Anyone > know what that means ? > > > > One or more dependencies were identified with known vulnerabilities in > > flex-messaging-common: > > > > > > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, > > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, > > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > > > > > See the dependency-check report for more details. > > > > > > > > [*INFO*] > > > ** > > > > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* > > > > [*INFO*] > > > > [*INFO*] Apache Flex - BlazeDS .. > > *SUCCESS* [ 5.914 > > s] > > > > [*INFO*] flex-messaging-archetypes .. > > *SUCCESS* [ 1.409 > > s] > > > > [*INFO*] blazeds-spring-boot-example-archetype .. > > *SUCCESS* [ 4.430 > > s] > > > > [*INFO*] flex-messaging-common .. > > *FAILURE* [ 2.155 > > s] > > > > [*INFO*] flex-messaging-core *SKIPPED* > > > > [*INFO*] flex-messaging-proxy ... *SKIPPED* > > > > [*INFO*] flex-messaging-remoting *SKIPPED* > > > > [*INFO*] flex-messaging-opt . *SKIPPED* > > > > [*INFO*] flex-messaging-opt-tomcat .. *SKIPPED* > > > > [*INFO*] flex-messaging-opt-tomcat-base . *SKIPPED* > > > > [*INFO*] > > > ** > > > > [*INFO*] *BUILD FAILURE* > > > > [*INFO*] > > > ** > > > > [*INFO*] Total time: 14.115 s > > > > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 > > > > [*INFO*] > > > ** > > > > [*ERROR*] Failed to execute goal > > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project > > flex-messaging-common: > > > > [*ERROR*] > > > > [*ERROR*] *One or more dependencies were identified with vulnerabilities > that have a CVSS score greater than or equal to '4.0': * > > > > [*ERROR*] > > > > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* > > > > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* > > > > [*ERROR*] > > > > [*ERROR*] *See the dependency-check report for more details.* > > > > Thanks, > > __ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > __ > -- Piotr Zarzycki
Re: [EXTERNAL] BlazeDS release
Well … you might not, but a malicious attacker might. I think the last few releases of BlazeDS, that I did in the past were reacting to CVEs reported in the XML processing part of BlazeDS. Here, for example, a malicious attacker could embed xml using xml-entities that referenced protected resources on the server and the BlazeDS server just resolved them exposing this protected information. However, I think I remember I turned off the xml processing of external resources per default. I probably this problem would not apply in very many cases. However, this seems to be a pretty new vulnerability, as I wasn’t getting it when I started the branch. So, I would advise to look, if a newer version is available and simply switch to that. If you need help with that … give me a ping. Should be a matter of 5 minutes. Chris From: Tom Chiverton Date: Tuesday, 16 August 2022 at 12:20 To: dev@flex.apache.org , Brian Raymes Subject: Re: [EXTERNAL] BlazeDS release The issue there is when processing malicious XSLT. We don't pass untrusted XSLT to it ? Tom On 15/08/2022 22:36, Brian Raymes wrote: > Seems like those dependencies need to be replaced due to vulnerabilities, as > the Apache Xalan project has been retired: > > https://github.com/advisories/GHSA-9339-86wc-4qgf > > > > -Original Message- > From: Piotr Zarzycki > Sent: Sunday, August 14, 2022 3:26 AM > To: dev@flex.apache.org > Subject: [EXTERNAL] BlazeDS release > > Hi All, > > In this thread I will be reporting updates related to release of BlazeDS. I > looked into Chris's branch and I would like to exclude Proxy module from > upcoming release. Please let me know in this thread whether you have anything > against it. > > Meanwhile I have following error on the console during build - Anyone know > what that means ? > > One or more dependencies were identified with known vulnerabilities in > flex-messaging-common: > > > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > See the dependency-check report for more details. > > > > [*INFO*] > ** > > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* > > [*INFO*] > > [*INFO*] Apache Flex - BlazeDS .. > *SUCCESS* [ 5.914 > s] > > [*INFO*] flex-messaging-archetypes .. > *SUCCESS* [ 1.409 > s] > > [*INFO*] blazeds-spring-boot-example-archetype .. > *SUCCESS* [ 4.430 > s] > > [*INFO*] flex-messaging-common .. > *FAILURE* [ 2.155 > s] > > [*INFO*] flex-messaging-core *SKIPPED* > > [*INFO*] flex-messaging-proxy ... *SKIPPED* > > [*INFO*] flex-messaging-remoting *SKIPPED* > > [*INFO*] flex-messaging-opt . *SKIPPED* > > [*INFO*] flex-messaging-opt-tomcat .. *SKIPPED* > > [*INFO*] flex-messaging-opt-tomcat-base . *SKIPPED* > > [*INFO*] > ** > > [*INFO*] *BUILD FAILURE* > > [*INFO*] > ** > > [*INFO*] Total time: 14.115 s > > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 > > [*INFO*] > ** > > [*ERROR*] Failed to execute goal > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project > flex-messaging-common: > > [*ERROR*] > > [*ERROR*] *One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '4.0': * > > [*ERROR*] > > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* > > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* > > [*ERROR*] > > [*ERROR*] *See the dependency-check report for more details.* > > Thanks, __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
Re: [EXTERNAL] BlazeDS release
The issue there is when processing malicious XSLT. We don't pass untrusted XSLT to it ? Tom On 15/08/2022 22:36, Brian Raymes wrote: Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired: https://github.com/advisories/GHSA-9339-86wc-4qgf -Original Message- From: Piotr Zarzycki Sent: Sunday, August 14, 2022 3:26 AM To: dev@flex.apache.org Subject: [EXTERNAL] BlazeDS release Hi All, In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it. Meanwhile I have following error on the console during build - Anyone know what that means ? One or more dependencies were identified with known vulnerabilities in flex-messaging-common: serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 See the dependency-check report for more details. [*INFO*] ** [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* [*INFO*] [*INFO*] Apache Flex - BlazeDS .. *SUCCESS* [ 5.914 s] [*INFO*] flex-messaging-archetypes .. *SUCCESS* [ 1.409 s] [*INFO*] blazeds-spring-boot-example-archetype .. *SUCCESS* [ 4.430 s] [*INFO*] flex-messaging-common .. *FAILURE* [ 2.155 s] [*INFO*] flex-messaging-core *SKIPPED* [*INFO*] flex-messaging-proxy ... *SKIPPED* [*INFO*] flex-messaging-remoting *SKIPPED* [*INFO*] flex-messaging-opt . *SKIPPED* [*INFO*] flex-messaging-opt-tomcat .. *SKIPPED* [*INFO*] flex-messaging-opt-tomcat-base . *SKIPPED* [*INFO*] ** [*INFO*] *BUILD FAILURE* [*INFO*] ** [*INFO*] Total time: 14.115 s [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 [*INFO*] ** [*ERROR*] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check *(default)* on project flex-messaging-common: [*ERROR*] [*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': * [*ERROR*] [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] [*ERROR*] *See the dependency-check report for more details.* Thanks, __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __
RE: [EXTERNAL] BlazeDS release
Seems like those dependencies need to be replaced due to vulnerabilities, as the Apache Xalan project has been retired: https://github.com/advisories/GHSA-9339-86wc-4qgf -Original Message- From: Piotr Zarzycki Sent: Sunday, August 14, 2022 3:26 AM To: dev@flex.apache.org Subject: [EXTERNAL] BlazeDS release Hi All, In this thread I will be reporting updates related to release of BlazeDS. I looked into Chris's branch and I would like to exclude Proxy module from upcoming release. Please let me know in this thread whether you have anything against it. Meanwhile I have following error on the console during build - Anyone know what that means ? One or more dependencies were identified with known vulnerabilities in flex-messaging-common: serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 See the dependency-check report for more details. [*INFO*] ** [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* [*INFO*] [*INFO*] Apache Flex - BlazeDS .. *SUCCESS* [ 5.914 s] [*INFO*] flex-messaging-archetypes .. *SUCCESS* [ 1.409 s] [*INFO*] blazeds-spring-boot-example-archetype .. *SUCCESS* [ 4.430 s] [*INFO*] flex-messaging-common .. *FAILURE* [ 2.155 s] [*INFO*] flex-messaging-core *SKIPPED* [*INFO*] flex-messaging-proxy ... *SKIPPED* [*INFO*] flex-messaging-remoting *SKIPPED* [*INFO*] flex-messaging-opt . *SKIPPED* [*INFO*] flex-messaging-opt-tomcat .. *SKIPPED* [*INFO*] flex-messaging-opt-tomcat-base . *SKIPPED* [*INFO*] ** [*INFO*] *BUILD FAILURE* [*INFO*] ** [*INFO*] Total time: 14.115 s [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 [*INFO*] ** [*ERROR*] Failed to execute goal org.owasp:dependency-check-maven:7.1.0:check *(default)* on project flex-messaging-common: [*ERROR*] [*ERROR*] *One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '4.0': * [*ERROR*] [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* [*ERROR*] [*ERROR*] *See the dependency-check report for more details.* Thanks, -- Piotr Zarzycki
