Hi guys, Unfortunately both version of these plugins doesn't have newer versions. The latest one are serializer-2.7.2and xalan-2.7.2 and we are using it. Any suggestions?
Thanks, Piotr pon., 22 sie 2022 o 10:44 Piotr Zarzycki <piotrzarzyck...@gmail.com> napisał(a): > Hi Chris and All, > > I will try to upgrade dependencies myself this week. I will let you know > here how it goes. > > Thanks, > Piotr > > wt., 16 sie 2022 o 14:46 Christofer Dutz <christofer.d...@c-ware.de> > napisał(a): > >> Well … >> >> you might not, but a malicious attacker might. >> I think the last few releases of BlazeDS, that I did in the past were >> reacting to CVEs reported in the XML processing part of BlazeDS. Here, for >> example, a malicious attacker could embed xml using xml-entities that >> referenced protected resources on the server and the BlazeDS server just >> resolved them exposing this protected information. >> >> However, I think I remember I turned off the xml processing of external >> resources per default. I probably this problem would not apply in very many >> cases. >> >> However, this seems to be a pretty new vulnerability, as I wasn’t getting >> it when I started the branch. So, I would advise to look, if a newer >> version is available and simply switch to that. If you need help with that >> … give me a ping. Should be a matter of 5 minutes. >> >> Chris >> >> >> From: Tom Chiverton <t...@extravision.com> >> Date: Tuesday, 16 August 2022 at 12:20 >> To: dev@flex.apache.org <dev@flex.apache.org>, Brian Raymes < >> brian.ray...@teotech.com> >> Subject: Re: [EXTERNAL] BlazeDS release >> The issue there is when processing malicious XSLT. >> >> We don't pass untrusted XSLT to it ? >> >> Tom >> >> On 15/08/2022 22:36, Brian Raymes wrote: >> > Seems like those dependencies need to be replaced due to >> vulnerabilities, as the Apache Xalan project has been retired: >> > >> > https://github.com/advisories/GHSA-9339-86wc-4qgf >> > >> > >> > >> > -----Original Message----- >> > From: Piotr Zarzycki <piotrzarzyck...@gmail.com> >> > Sent: Sunday, August 14, 2022 3:26 AM >> > To: dev@flex.apache.org >> > Subject: [EXTERNAL] BlazeDS release >> > >> > Hi All, >> > >> > In this thread I will be reporting updates related to release of >> BlazeDS. I looked into Chris's branch and I would like to exclude Proxy >> module from upcoming release. Please let me know in this thread whether you >> have anything against it. >> > >> > Meanwhile I have following error on the console during build - Anyone >> know what that means ? >> > >> > One or more dependencies were identified with known vulnerabilities in >> > flex-messaging-common: >> > >> > >> > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, >> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >> > >> > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, >> > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 >> > >> > >> > >> > See the dependency-check report for more details. >> > >> > >> > >> > [*INFO*] >> > >> *------------------------------------------------------------------------* >> > >> > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* >> > >> > [*INFO*] >> > >> > [*INFO*] Apache Flex - BlazeDS .............................. >> > *SUCCESS* [ 5.914 >> > s] >> > >> > [*INFO*] flex-messaging-archetypes .......................... >> > *SUCCESS* [ 1.409 >> > s] >> > >> > [*INFO*] blazeds-spring-boot-example-archetype .............. >> > *SUCCESS* [ 4.430 >> > s] >> > >> > [*INFO*] flex-messaging-common .............................. >> > *FAILURE* [ 2.155 >> > s] >> > >> > [*INFO*] flex-messaging-core ................................ *SKIPPED* >> > >> > [*INFO*] flex-messaging-proxy ............................... *SKIPPED* >> > >> > [*INFO*] flex-messaging-remoting ............................ *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt ................................. *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED* >> > >> > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED* >> > >> > [*INFO*] >> > >> *------------------------------------------------------------------------* >> > >> > [*INFO*] *BUILD FAILURE* >> > >> > [*INFO*] >> > >> *------------------------------------------------------------------------* >> > >> > [*INFO*] Total time: 14.115 s >> > >> > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 >> > >> > [*INFO*] >> > >> *------------------------------------------------------------------------* >> > >> > [*ERROR*] Failed to execute goal >> > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project >> > flex-messaging-common: >> > >> > [*ERROR*] >> > >> > [*ERROR*] *One or more dependencies were identified with >> vulnerabilities that have a CVSS score greater than or equal to '4.0': * >> > >> > [*ERROR*] >> > >> > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* >> > >> > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* >> > >> > [*ERROR*] >> > >> > [*ERROR*] *See the dependency-check report for more details.* >> > >> > Thanks, >> >> ______________________________________________________________________ >> This email has been scanned by the Symantec Email Security.cloud service. >> For more information please visit http://www.symanteccloud.com >> ______________________________________________________________________ >> > > > -- > > Piotr Zarzycki > -- Piotr Zarzycki
