Karthick created GERONIMO-6814:
----------------------------------
Summary: Improve Geronimo specs to mitigate CVE-2011-5034
Key: GERONIMO-6814
URL: https://issues.apache.org/jira/browse/GERONIMO-6814
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: geronimo-maven-plugin
Affects Versions: 1.1.1
Reporter: Karthick
Hi,
By default Apache Karaf 4.3.2 ([Maven Repository: org.apache.karaf »
apache-karaf » 4.3.2
(mvnrepository.com)|https://mvnrepository.com/artifact/org.apache.karaf/apache-karaf/4.3.2]
packs jms_geronimo_1.1_spec 1.1.1 version which when scanned through security
tools like Jfrog XRay and Anchore reports CVE-2011-5034 ([NVD - CVE-2011-5034
(nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2011-5034] )
However, there seems to be no later version of geronimo where this CVE is
fixed.It has been 10 years since this CVE is created and no fix seen yet. Do
you have analysis on whether this CVE really affects geronimo specs or any plan
to provide next version?
There
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
