Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade xalan to 2.7.3 due to CVE-2022-34169 #188

Closed
lukaseder opened this issue May 9, 2023 · 5 comments
Closed

Upgrade xalan to 2.7.3 due to CVE-2022-34169 #188

lukaseder opened this issue May 9, 2023 · 5 comments
Labels
dependencies Pull requests that update a dependency file P: Medium R: Fixed T: Defect
Milestone
Version 2.0.1

Comments

@lukaseder
Copy link
Member

Xalan 2.7.3 has been released to mitigate CVE-2022-34169
@lukaseder lukaseder added P: Medium T: Defect dependencies Pull requests that update a dependency file labels May 9, 2023
@lukaseder lukaseder modified the milestones: Version 2.1.0, Version 2.0.1 May 9, 2023
@lukaseder
Copy link
Member Author

It's just a test dependency, so we don't need to publish a patch release for this.

@lukaseder
Copy link
Member Author

Not sure why they changed dependencies so harshly between patch releases.

xalan 2.7.3:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.3</version>
</project>

xalan 2.7.2:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.apache</groupId>
<artifactId>apache</artifactId>
<version>4</version>
</parent>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<name>Xalan Java</name>
<description> Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. </description>
<url>http://xml.apache.org/xalan-j/</url>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>serializer</artifactId>
<version>2.7.2</version>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.9.1</version>
<optional>true</optional>
</dependency>
</dependencies>
</project>

So, after upgrading, I guess we'll have to roll our own transitive dependencies?

lukaseder added a commit that referenced this issue May 9, 2023
@lukaseder
[#188] Upgrade xalan to 2.7.3 due to CVE-2022-34169
bdb9d0a
lukaseder added a commit that referenced this issue May 9, 2023
@lukaseder
[#188] Upgrade xalan to 2.7.3 due to CVE-2022-34169
1e487ec
@d4l-w4r
Copy link

d4l-w4r commented Nov 6, 2023

Hey @lukaseder any chance that you could publish a patch release for this commit?
The changes have landed in main, but are not in the current 2.0.0 release (version-2.0.0...main)

@lukaseder
Copy link
Member Author

The "current" 2.0 release? :) jOOQ 2.0.0 was released in 2011. That's even before I started this business.

I'm afraid you'll have to patch jOOQ yourself in this case.

Though, please note, as stated in my previous comment here: #188 (comment), this is just a test dependency. Otherwise, xalan is a provided runtime depedency, which you can upgrade in your client code without depending on jOOQ's version.

I hope this helps.

@lukaseder
Copy link
Member Author

I'm sorry, I just realised, this is a jOOX ticket, not a jOOQ one.

Why do you need this to be patched? It's just a test dependency?

@lukaseder lukaseder modified the milestones: Version 2.1.0, Version 2.0.1 May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file P: Medium R: Fixed T: Defect
Projects
None yet
Milestone
Version 2.0.1
Development

No branches or pull requests
2 participants
@lukaseder @d4l-w4r