Bug#1068931: pom.xml version impact
tsteven4
tsteven4 at gmail.com
Tue Apr 16 17:04:19 BST 2024
Having the wrong version in pom.xml results in the deb having the
following files incorrectly named:
root at d19edf0ef10b:/app# diff before after
9c9
< -rw-r--r-- root/root 323778 2024-01-05 16:32
./usr/share/java/dom4j-2.1.1.jar
---
> -rw-r--r-- root/root 323778 2024-01-05 16:32
./usr/share/java/dom4j-2.1.4.jar
18,19c18,19
< drwxr-xr-x root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/
< -rw-r--r-- root/root 2230 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.pom
---
> drwxr-xr-x root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/
> -rw-r--r-- root/root 2230 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.pom
22,24c22,24
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/java/dom4j.jar -> dom4j-2.1.1.jar
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.jar ->
../../../../../java/dom4j-2.1.1.jar
< lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/debian/dom4j-debian.jar ->
../../../../../java/dom4j-2.1.1.jar
---
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/java/dom4j.jar -> dom4j-2.1.4.jar
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/2.1.4/dom4j-2.1.4.jar ->
../../../../../java/dom4j-2.1.4.jar
> lrwxrwxrwx root/root 0 2024-01-05 16:32
./usr/share/maven-repo/org/dom4j/dom4j/debian/dom4j-debian.jar ->
../../../../../java/dom4j-2.1.4.jar
That may be responsible for at least one tool flagging a security
vulnerability that was fixed in 2.1.3. Docker scout reports:
CRITICAL CVE-2020-10683
pkg:maven/org.dom4j/dom4j at 2.1.1
9.8
1 image
Yes
2.1.3
More information about the pkg-java-maintainers
mailing list