maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Osipov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MJAVADOC-545) Struts 1.3.8
Date Mon, 19 Nov 2018 12:23:00 GMT

    [ https://issues.apache.org/jira/browse/MJAVADOC-545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691637#comment-16691637
] 

Michael Osipov commented on MJAVADOC-545:
-----------------------------------------

That's a tricky one, it is a deep trans dep. The enitre Doxia change needs to switch to Velocity
Engine 2.0 and Velocity Tools 3.0. If some newer version is binary compatible you can easily
change his in your parent POM. Is that an option for you?

> Struts 1.3.8
> ------------
>
>                 Key: MJAVADOC-545
>                 URL: https://issues.apache.org/jira/browse/MJAVADOC-545
>             Project: Maven Javadoc Plugin
>          Issue Type: Dependency upgrade
>          Components: javadoc
>    Affects Versions: 3.0.1
>            Reporter: Chris Scott
>            Priority: Major
>
> Our security audits have reported that this plugin has a dependency on Struts 1.3.8 which
has several critical security flaws. Although this is a build-time only plugin, this still
represents a security issue. That version of Struts is also EOL which is far from ideal. Is
there any way to update?
> [https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-164423/Apache-Struts-1.3.8.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message