Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [m2e-dev] CVE-2020-10683

maven-archetype removed the dependency on dom4j about a year ago:

https://github.com/apache/maven-archetype/pull/29

If that's where it's coming from, you should just need to update
maven-archetype.


On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
>
> Hi m2e-dev.
>
>
>
> I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
>
> https://nvd.nist.gov/vuln/detail/CVE-2020-10683
>
> The mitigation is to update to 2.1.3.
>
>
>
> Should I log a bug for this?
>
> IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
>
> Is it the same for this one?
>
>
>
> Thanks!
>
> Tony Homer
>
> _______________________________________________
> m2e-dev mailing list
> m2e-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev



-- 
Elliotte Rusty Harold
elharo@xxxxxxxxxxx


Back to the top