Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
@Mickael Istria @Eric Lilja @Elliotte Rusty Harold We are the maintainers. But there is one thing I do not understand why such upgrade is so important for the users even if overriding the dependency in user's POM is so simple. Do you inherit from this project and you need dom4j as transitive dependency? Having a look in the CVE-2018-1000632 ( https://www.cvedetails.com/cve/CVE-2018-1000632/), the root of security fix in DOM4J 2.1.1 is called "XML Injection on element and attribute". The issue talks about names of element where you pass character like "<". Do we use such element name in this project? No! Because it is hard coded string in our code: .addElement( "modules" ) .addElement( "module" ) The classes of DOM4J is used in method stack and not exposed outside. The security fix simply throws an exception in case of using "<" in qname. The question is why the pressure is made high in maven-archetype, even if we see that the base of the security fix cannot improve our life. Resources: https://www.cvedetails.com/cve/CVE-2018-1000632/ https://ihacktoprotect.com/post/dom4j-xml-injection/ https://github.com/dom4j/dom4j/issues/48 Cheers Tibor On Mon, Jun 3, 2019 at 7:47 PM Eric Lilja wrote: > +1, people on old versions of Java can remain on the old version of the > plugin. No one who is in a project where an old version of Java is still in > use (< 8) expect to have everything else in their eco-system (3PPs, maven > plugins etc) at bleeding edge versions. I guess many such projects are many > versions behind on even supported releases...particularly regarding Maven > plugins. > > - Eric L > > On Mon, Jun 3, 2019 at 7:23 PM Mickael Istria wrote: > > > People who don't want to update are the ones who have to pay the effort, > > not the project that tries to ship a security fix. > > The simplest past forward is the one provided by Tony. Customers who > don't > > want to use it can remain on previous version of the archetype plugins. > > Other proposals to fix it are just more time-consuming without providing > > value to Maven project. > > >
Re: [MNG-6667] Hint at Maven upgrade requirement when trying to build a pom.xml with a newer modelVersion
Merged On Sun 2 Jun 2019 at 11:44, Stephen Connolly < stephen.alan.conno...@gmail.com> wrote: > I’m going to add a test where the “newer” pom has an incompatible schema > with only modelVersion retained to ensure the parser errors get dismissed > and we bomb early with the modelVersion complaint > > On Sat 1 Jun 2019 at 22:05, Stephen Connolly < > stephen.alan.conno...@gmail.com> wrote: > >> Ok I've switched to a dedicated comparator. The comparator you suggested >> is not available on the classpath in that module and the other alternatives >> you suggested could leak unintentionally side-effects. >> >> On Sat, 1 Jun 2019 at 16:03, Robert Scholte wrote: >> >>> This is a bit awkward, a modelVersion is not an artifactVersion even >>> though they have the same characteristics. >>> Comparison will work, as would JavaVersion. >>> I'd prefer a dedicated comparator or GenericVersionScheme >>> >>> Robert >>> >>> [1] >>> >>> https://maven.apache.org/resolver/apidocs/org/eclipse/aether/util/version/GenericVersionScheme.html >>> >>> >>> >>> >>> On Sat, 01 Jun 2019 14:48:00 +0200, Stephen Connolly >>> wrote: >>> >>> > CI passed: >>> > https://builds.apache.org/job/maven-box/job/maven/job/mng-6667/1/ >>> > >>> > On Sat 1 Jun 2019 at 13:01, Stephen Connolly < >>> > stephen.alan.conno...@gmail.com> wrote: >>> > >>> >> Finally got some time to do some work on Maven again... who knows >>> how >>> >> long >>> >> it will last!!! >>> >> >>> >> https://issues.apache.org/jira/browse/MNG-6667 >>> >> >>> >> >>> >> >>> https://gitbox.apache.org/repos/asf?p=maven.git;a=commit;h=7376a99093984c459f6a70cd1f508bbcf5ef26f7 >>> >> >>> >> WDYT? >>> >> >>> >> If CI passes are we good to merge? >>> >> >>> >> -Stephen >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>> For additional commands, e-mail: dev-h...@maven.apache.org >>> >>> -- > Sent from my phone > -- Sent from my phone
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
+1, people on old versions of Java can remain on the old version of the plugin. No one who is in a project where an old version of Java is still in use (< 8) expect to have everything else in their eco-system (3PPs, maven plugins etc) at bleeding edge versions. I guess many such projects are many versions behind on even supported releases...particularly regarding Maven plugins. - Eric L On Mon, Jun 3, 2019 at 7:23 PM Mickael Istria wrote: > People who don't want to update are the ones who have to pay the effort, > not the project that tries to ship a security fix. > The simplest past forward is the one provided by Tony. Customers who don't > want to use it can remain on previous version of the archetype plugins. > Other proposals to fix it are just more time-consuming without providing > value to Maven project. >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
People who don't want to update are the ones who have to pay the effort, not the project that tries to ship a security fix. The simplest past forward is the one provided by Tony. Customers who don't want to use it can remain on previous version of the archetype plugins. Other proposals to fix it are just more time-consuming without providing value to Maven project.
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Who's the maintainer? Sometimes a friendly ping through back channels can work wonders. On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony wrote: > > >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be > >>scheduled. > FWIW, there was an issue logged asking for that on 6 December 2018 [1]. > I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 > and Java 8. > Just making sure this information is part of the discussion. ( > > [1] https://github.com/dom4j/dom4j/issues/55 > [2] https://github.com/apache/maven-archetype/pull/28 > > > On 6/3/19 , 7:59 AM, "Tibor Digana" wrote: > > First of all, this PR was create because of vulnerability > CVE-2018-1000632. > Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not > an > argument for me. > If some code was broken in that version, it would be an argument. But it > is > not an argument to infinitely grow versions only because somebody in CVE > wants to. This really is pushing hard to sell technologies and not a > common > sense. > > T > > On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold > wrote: > > > I know there are plenty of places at Java 8+. There are also many who > > haven't gotten that far. Some of my day job involves Java 7+ clients, > > and I know of others even further back than that. > > > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > > wrote: > > > > > > FWIW, we are talking at work about Java 8 and 11 only these days. > Java 7 > > is > > > in the distant past. Most people can't even get Java 7 updates since > it > > is > > > EOL unless you pay. > > > > > > Gary > > > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold < > > elh...@ibiblio.org> > > > wrote: > > > > > > > I agree that this should be fixed. I'm not yet convinced that > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > > > wrote: > > > > > > > > > > Elliotte, > > > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > > can > > > > > > be scheduled. > > > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > > dom4j > > > > > > completely? > > > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > > compatibility this soon. > > > > > > > > > > > > > > > > Are you -1 with this change ? > > > > > If an user wan't to use java 7 he can use current version of the > > plugin. > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > > > > wrote: > > > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > > vulnerable > > > > to > > > > > > CVE-2018-1000632 [1]. > > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > > In order to mitigate this vulnerability, an update to dom4j > > 2.1.1 is > > > > > > needed. > > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) > but > > the > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > > > Thanks! > > > > > > > Tony Homer > > > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > > [3] https://dom4j.github.io > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Elliotte Rusty Harold > > > > > > elh...@ibiblio.org > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Elliotte Rusty Harold > > > > elh...@ibiblio.org > > > > > > > > > - > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
>>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be >>scheduled. FWIW, there was an issue logged asking for that on 6 December 2018 [1]. I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 and Java 8. Just making sure this information is part of the discussion. ( [1] https://github.com/dom4j/dom4j/issues/55 [2] https://github.com/apache/maven-archetype/pull/28 On 6/3/19 , 7:59 AM, "Tibor Digana" wrote: First of all, this PR was create because of vulnerability CVE-2018-1000632. Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an argument for me. If some code was broken in that version, it would be an argument. But it is not an argument to infinitely grow versions only because somebody in CVE wants to. This really is pushing hard to sell technologies and not a common sense. T On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold wrote: > I know there are plenty of places at Java 8+. There are also many who > haven't gotten that far. Some of my day job involves Java 7+ clients, > and I know of others even further back than that. > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > wrote: > > > > FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 > is > > in the distant past. Most people can't even get Java 7 updates since it > is > > EOL unless you pay. > > > > Gary > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold < > elh...@ibiblio.org> > > wrote: > > > > > I agree that this should be fixed. I'm not yet convinced that > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > wrote: > > > > > > > > Elliotte, > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > can > > > > > be scheduled. > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > dom4j > > > > > completely? > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > compatibility this soon. > > > > > > > > > > > > > Are you -1 with this change ? > > > > If an user wan't to use java 7 he can use current version of the > plugin. > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > > wrote: > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > vulnerable > > > to > > > > > CVE-2018-1000632 [1]. > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > In order to mitigate this vulnerability, an update to dom4j > 2.1.1 is > > > > > needed. > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but > the > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > Thanks! > > > > > > Tony Homer > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > [3] https://dom4j.github.io > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > -- > > > > > Elliotte Rusty Harold > > > > > elh...@ibiblio.org > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Elliotte Rusty Harold > > > elh...@ibiblio.org > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
First of all, this PR was create because of vulnerability CVE-2018-1000632. Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an argument for me. If some code was broken in that version, it would be an argument. But it is not an argument to infinitely grow versions only because somebody in CVE wants to. This really is pushing hard to sell technologies and not a common sense. T On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold wrote: > I know there are plenty of places at Java 8+. There are also many who > haven't gotten that far. Some of my day job involves Java 7+ clients, > and I know of others even further back than that. > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > wrote: > > > > FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 > is > > in the distant past. Most people can't even get Java 7 updates since it > is > > EOL unless you pay. > > > > Gary > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold < > elh...@ibiblio.org> > > wrote: > > > > > I agree that this should be fixed. I'm not yet convinced that > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > wrote: > > > > > > > > Elliotte, > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > can > > > > > be scheduled. > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > dom4j > > > > > completely? > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > compatibility this soon. > > > > > > > > > > > > > Are you -1 with this change ? > > > > If an user wan't to use java 7 he can use current version of the > plugin. > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > > wrote: > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > vulnerable > > > to > > > > > CVE-2018-1000632 [1]. > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > In order to mitigate this vulnerability, an update to dom4j > 2.1.1 is > > > > > needed. > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but > the > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > Thanks! > > > > > > Tony Homer > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > [3] https://dom4j.github.io > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > -- > > > > > Elliotte Rusty Harold > > > > > elh...@ibiblio.org > > > > > > > > > > > - > > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Elliotte Rusty Harold > > > elh...@ibiblio.org > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
I know there are plenty of places at Java 8+. There are also many who haven't gotten that far. Some of my day job involves Java 7+ clients, and I know of others even further back than that. On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory wrote: > > FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 is > in the distant past. Most people can't even get Java 7 updates since it is > EOL unless you pay. > > Gary > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold > wrote: > > > I agree that this should be fixed. I'm not yet convinced that > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > wrote: > > > > > > Elliotte, > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > elh...@ibiblio.org> ha scritto: > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release can > > > > be scheduled. > > > > > > > > And if that doesn't work, how much effort is it to switch off of dom4j > > > > completely? > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > compatibility this soon. > > > > > > > > > > Are you -1 with this change ? > > > If an user wan't to use java 7 he can use current version of the plugin. > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > wrote: > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable > > to > > > > CVE-2018-1000632 [1]. > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > > > > needed. > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > What else I should do to advance this proposal? > > > > > > > > > > Thanks! > > > > > Tony Homer > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > [3] https://dom4j.github.io > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > -- > > > > Elliotte Rusty Harold > > > > elh...@ibiblio.org > > > > > > > > - > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 is in the distant past. Most people can't even get Java 7 updates since it is EOL unless you pay. Gary On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold wrote: > I agree that this should be fixed. I'm not yet convinced that > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > wrote: > > > > Elliotte, > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > elh...@ibiblio.org> ha scritto: > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release can > > > be scheduled. > > > > > > And if that doesn't work, how much effort is it to switch off of dom4j > > > completely? > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > compatibility this soon. > > > > > > > Are you -1 with this change ? > > If an user wan't to use java 7 he can use current version of the plugin. > > > > Enrico > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > wrote: > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable > to > > > CVE-2018-1000632 [1]. > > > > I filed ARCHETYPE-567 [2] to track this. > > > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > > > needed. > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > The current dev version (2.0.3) seems to contain a fix for > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > I opened PR #28 [4] to make these changes. > > > > What else I should do to advance this proposal? > > > > > > > > Thanks! > > > > Tony Homer > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > [3] https://dom4j.github.io > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > -- > > > Elliotte Rusty Harold > > > elh...@ibiblio.org > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
I agree that this should be fixed. I'm not yet convinced that requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli wrote: > > Elliotte, > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > elh...@ibiblio.org> ha scritto: > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release can > > be scheduled. > > > > And if that doesn't work, how much effort is it to switch off of dom4j > > completely? > > > > maven-archetype strikes me as too important to drop Java 7 > > compatibility this soon. > > > > Are you -1 with this change ? > If an user wan't to use java 7 he can use current version of the plugin. > > Enrico > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony wrote: > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to > > CVE-2018-1000632 [1]. > > > I filed ARCHETYPE-567 [2] to track this. > > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > > needed. > > > dom4j 2.1.x requires Java 8+ [3]. > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > The current dev version (2.0.3) seems to contain a fix for > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > I opened PR #28 [4] to make these changes. > > > What else I should do to advance this proposal? > > > > > > Thanks! > > > Tony Homer > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > [3] https://dom4j.github.io > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Elliotte, Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < elh...@ibiblio.org> ha scritto: > Perhaps ask the dom4j developers first to see if a 2.0.3 release can > be scheduled. > > And if that doesn't work, how much effort is it to switch off of dom4j > completely? > > maven-archetype strikes me as too important to drop Java 7 > compatibility this soon. > Are you -1 with this change ? If an user wan't to use java 7 he can use current version of the plugin. Enrico > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony wrote: > > > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to > CVE-2018-1000632 [1]. > > I filed ARCHETYPE-567 [2] to track this. > > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is > needed. > > dom4j 2.1.x requires Java 8+ [3]. > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > The current dev version (2.0.3) seems to contain a fix for > CVE-2018-1000632 but has been pending release for ~1 year. > > > > I opened PR #28 [4] to make these changes. > > What else I should do to advance this proposal? > > > > Thanks! > > Tony Homer > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > [3] https://dom4j.github.io > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Perhaps ask the dom4j developers first to see if a 2.0.3 release can be scheduled. And if that doesn't work, how much effort is it to switch off of dom4j completely? maven-archetype strikes me as too important to drop Java 7 compatibility this soon. On Fri, May 31, 2019 at 3:02 PM Homer, Tony wrote: > > Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to > CVE-2018-1000632 [1]. > I filed ARCHETYPE-567 [2] to track this. > In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed. > dom4j 2.1.x requires Java 8+ [3]. > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but the latest > release (2.0.2) is vulnerable to CVE-2018-1000632. > The current dev version (2.0.3) seems to contain a fix for CVE-2018-1000632 > but has been pending release for ~1 year. > > I opened PR #28 [4] to make these changes. > What else I should do to advance this proposal? > > Thanks! > Tony Homer > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > [3] https://dom4j.github.io > [4] https://github.com/apache/maven-archetype/pull/28 > -- Elliotte Rusty Harold elh...@ibiblio.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Dead Links to Wiki Pages
Tibor and I worked through this on the SUREFIRE issue above. I think it makes sense to remove the link to the wiki but add a note to encourage people to contribute on GitHub. I'm going to aim to make those changes across all projects over the next few days. Thanks Tibor for your guidance. Jim On Sun, 2 Jun 2019 at 23:24, Tibor Digana wrote: > There is Jira issue reported > https://issues.apache.org/jira/browse/SUREFIRE-1664 > Every volunteer is welcome! > > On Sun, Jun 2, 2019 at 11:23 PM James Gough wrote: > > > Hi, > > > > I've just started looking into > > https://issues.apache.org/jira/browse/MTOOLCHAINS-21, which is a bug > > report > > about Toolchains having a dead link to wiki pages previously hosted on: > > http://docs.codehaus.org/display/MAVENUSER/Toolchains+Plugin > > > > I had a look at a few other pages to get an idea what the Wikis were used > > for and found Sunfire, jar signer and verifier on the few I spot checked > > also have the same dead wiki links. > > > > I'm happy to go and fix all these, but thought it would be useful to see > > what the group thinks. My proposal is that these have been disappearing > for > > a while and I only see a few JIRAs (which are not specific in what they > > need the page for). > > > > Proposal is to simply remove all dead links to a wiki from plugin > projects? > > > > Thanks, > > Jim > > >