Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [m2e-dev] CVE-2020-10683
  • From: "Homer, Tony" <tony.homer@xxxxxxxxx>
  • Date: Wed, 3 Jun 2020 23:12:07 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uq3n3KcvIleuMYiyAvUheXlndqPtArNBS5DSV8qYagU=; b=ljoVaApeaVpci1Zy/RLgAIc5tLX2fv2xxnG9mYZN0M1RtWJbStmmSOAc/P9coUgIdRy4pflFj1P5wuN4TBkaxpDIWKmrgbJ0ZK51Nc+fK4fBHlJdAg8qI7vmYa7t3PhzaitmCwDVpsfqdE3uwwsx1smZ4iaM/Lmu5e9i58+SRFxZWzzKXXr7eVqEdaBgxIhB6K+wYI0Hej07fHiuWT87E++UPeaZ0e2QROzxNp1oBIFAGO0LLdTiK6eVnnQET5rF1Tw1CRunNvemY976gkzuV7Z4AhnPRHtCCDoBAk1UdLaK2yXQnfSeLz94u3kJNFHE0KT3a1KwwGVPqXeDr0lJtg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R0Tr9Naj09yyrkz8gngg5nv2QkDN/E6SZ1Q665iCKjGXjKIoFldBxwO0ehnS1tdpNuzC0vYpHbpJgJatXzW4B/0veN7Y4ZWnK+BGxswHcYgwK4BLUP5WFaubG771orQsKOKnDUVxk815UH+3c1gj3i+5BR6fTDCvehJtk90mB3Pb6G9grQ7G9g14BLksCb54hOL494Ny+NLAm00/dKS9laBxt3uLFY6PUlciKfJQLzaWJvT1943uvKBVeQRhBsw3BhGL35QaNT0pPhNd/UCpyq2Zh6TYb/VhuTqa0av+ytzG6KVpEjEfPbdI3DtSQED4fJnzXYPxTRNzk4FWv1Rf5g==
  • Delivered-to: m2e-dev@xxxxxxxxxxx
  • Ironport-sdr: U2Chu5jV7lLtPbTw/jKz3uVUxHH0jfW8iz1HcluvqS1L1vXjKPg17t90mu5TceA3+3ywBRv2RW OE7NAxkcQZmA==
  • Ironport-sdr: RSVXePR4qjQj3SclNAi0WmSBF1exUwHHgqZL6kMR5mYTeQfOLHVGDmzEmTcJ/dgkodPDjjCicm QDFyTxNre8Fw==
  • List-archive: <https://www.eclipse.org/mailman/private/m2e-dev>
  • List-help: <mailto:m2e-dev-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/m2e-dev>, <mailto:m2e-dev-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHWOfxncspOhtIDtk+8+XJ6YjDW8Q==
  • Thread-topic: [m2e-dev] CVE-2020-10683
  • User-agent: Microsoft-MacOutlook/16.37.20051002
m2e is using maven-archetype 2.4:
https://github.com/eclipse/m2e-core/blob/master/m2e-maven-runtime/org.eclipse.m2e.archetype.common/pom.xml#L27

maven-archetype removed dom4j in 3.1.2:
https://github.com/apache/maven-archetype/commit/bf7961805ea56cdad7e138f47098aacccb314db8

I'll open a change which bumps maven-archetype to 3.1.2 and removes the direct dependency on dom4j from m2e and see what happens.

Here is the commit from the last time a dom4j CVE fix was applied in m2e:
https://github.com/eclipse/m2e-core/commit/cbe8a8990fa168f3750b2accf499f87310907fcd
At that time, the issue was not fixed in maven-archetype, but I seem to recall that there was some reason why it was not practical to bump the maven-archetype dependency to 3+.  I could be misremembering so I will go ahead and give it a shot.  Maybe Fred can comment as he was involved with this last time.

Tony

On 6/3/20 , 2:41 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Homer, Tony" <m2e-dev-bounces@xxxxxxxxxxx on behalf of tony.homer@xxxxxxxxx> wrote:

    Thanks for reminding me about that.  I'll double-check the finding and see what version of maven-archetype m2e is using.

    On 6/3/20 , 2:32 PM, "m2e-dev-bounces@xxxxxxxxxxx on behalf of Elliotte Rusty Harold" <m2e-dev-bounces@xxxxxxxxxxx on behalf of elharo@xxxxxxxxxxx> wrote:

        maven-archetype removed the dependency on dom4j about a year ago:

        https://github.com/apache/maven-archetype/pull/29

        If that's where it's coming from, you should just need to update
        maven-archetype.


        On Wed, Jun 3, 2020 at 5:21 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
        >
        > Hi m2e-dev.
        >
        >
        >
        > I imagine it is too late for 2020-06 but m2e is exposed to CVE-2020-10683 by dom4j 2.1.1.
        >
        > https://nvd.nist.gov/vuln/detail/CVE-2020-10683
        >
        > The mitigation is to update to 2.1.3.
        >
        >
        >
        > Should I log a bug for this?
        >
        > IIRC when there was a CVE from dom4j in the past, it was coming to m2e from maven-archetype and the answer was to report it to them.
        >
        > Is it the same for this one?
        >
        >
        >
        > Thanks!
        >
        > Tony Homer
        >
        > _______________________________________________
        > m2e-dev mailing list
        > m2e-dev@xxxxxxxxxxx
        > To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev



        -- 
        Elliotte Rusty Harold
        elharo@xxxxxxxxxxx
        _______________________________________________
        m2e-dev mailing list
        m2e-dev@xxxxxxxxxxx
        To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev

    _______________________________________________
    m2e-dev mailing list
    m2e-dev@xxxxxxxxxxx
    To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/m2e-dev

Back to the top