Dom4j raise up a CVE


#1

Hello everybody,

the transitive dependency dom4j 1.6.1 has a CVE, which is used by hibernate core (see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632).
I noticed that the version is very old (year 2006). Why is not the latest org.dom4j 2.x.x used?
The newest version 2.1.1 has this CVE too, but i hope in the next version it will be fixed.

Thanks and cheers

Dennis

EDIT: The dom4j 2.1.1 fixed this issue


#2

Thanks for the heads up. Please create a Jira issue for this. Thanks.


#3

Created: https://hibernate.atlassian.net/browse/HHH-12964


#4

PR: https://github.com/hibernate/hibernate-orm/pull/2525


#5

Thanks for the issue and Pull Request.


#6

I cannot comment to JIRA tickets, so I’ll try here. Can this be merged back to 5.2, 5.1 and 5.0? I am depending on 5.0 because of … political reasons (my team is not controlling the Spring version used).


#7

Related to merging, you need to talk to @gbadner as she decides what is to be merged on those branches.


#8

Thanks for the tip! :pray:

Edit: I’m quite a noob with this Discourse stuff - I thought there were private messages here.

@gbadner Can we see this issue fixed in the previous Hibernate versions too? I am particularly interested in 5.0.x branch, since my team cannot change Spring versions, we have (for the time being) remain on 5.0.x branch.


#9

Try also via HipChat. You can find more details on the Community page. It might be that you get your answer faster on HipChat.