[jira] [Commented] (MSITE-830) Dependency upgrades related to identified security reports

Wed, 14 Nov 2018 12:55:10 -0800 


    [ 
https://issues.apache.org/jira/browse/MSITE-830?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687112#comment-16687112
 ] 

Olaf Flebbe commented on MSITE-830:
-----------------------------------

I looked at some of the dependencies. 

struts for instance is injected via doxia-site-rendering <-> velocity-tools 

There was a new release of velocity tools which seems to adress some of the 
issues we see. But IMHO here is the wrong place to discuss: 
doxia-site-rendering should be improved, than maven-site can pick this up.

> Dependency upgrades related to identified security reports
> ----------------------------------------------------------
>
>                 Key: MSITE-830
>                 URL: https://issues.apache.org/jira/browse/MSITE-830
>             Project: Maven Site Plugin
>          Issue Type: Improvement
>            Reporter: Sylwester Lachiewicz
>            Priority: Major
>
> Fix problems reported by [Snyk.io|https://snyk.io/]
>   
> |H|[Arbitrary File Write via Archive Extraction (Zip 
> Slip)|https://app.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680] in 
> org.codehaus.plexus:plexus-archiver|
> |H| [Arbitrary Code 
> Execution|https://app.snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077] in 
> commons-beanutils:commons-beanutils|
> |H| [Arbitrary Code 
> Execution|https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078] in 
> commons-collections:commons-collections|
> |H| [XML External Entity (XXE) 
> Injection|https://app.snyk.io/vuln/SNYK-JAVA-DOM4J-72444] in dom4j:dom4j|
> |H| [Denial of Service 
> (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-32417] in 
> org.apache.pdfbox:fontbox|
> |H| [Arbitrary Code 
> Injection|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-30763] in 
> org.apache.struts:struts-core|
> |H| [Arbitrary Command 
> Execution|https://app.snyk.io/vuln/SNYK-JAVA-ORGMORTBAYJETTY-32091] in 
> org.mortbay.jetty:jetty|
> |M|[Denial of Service 
> (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-32122] in 
> org.apache.commons:commons-compress|
> |M|[Directory 
> Traversal|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-72275] in 
> org.apache.commons:commons-compress|
> |M| [Man-in-the-Middle 
> (MitM)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30646] in 
> org.apache.httpcomponents:httpclient|
> |M| [Directory 
> Traversal|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517] 
> in org.apache.httpcomponents:httpclient|
> |M| [Improper Input 
> Validation|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30645] 
> in org.apache.httpcomponents:httpclient|
> |M| [Information 
> Exposure|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30644] in 
> org.apache.httpcomponents:httpclient|
> |M| [Denial of Service 
> (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-30647] in 
> org.apache.httpcomponents:httpclient|
> |M| [Denial of Service 
> (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHEPDFBOX-72426] in 
> org.apache.pdfbox:pdfbox|
> |L|[Denial of Service 
> (DoS)|https://app.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-32473] in 
> org.apache.commons:commons-compress|



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to