Old Java jre xml-apis-1.0.b2


#1

Hi,
I’m noticing after a code scan that jicofo is compiled on an older version of JRE, specifically version xml-apis-1.0.b2.jar

jicofo_1.0-451-1_amd64.deb
|-> usr/share/jicofo/lib/
|-> xml-apis-1.0.b2.jar

Is it possible that this can be upgraded to a more recent version?


#2

Seems this is dependency of dom4j, not sure where do we use that, but I see that it doesn’t have a version with updated xml-apis library.
What is the problem you have?


#3

Due to the version, my security scan is reporting it vulnerable to several known CVE’s. It’s reported as being part of the Java Platform Standard Edition (JRE) (J2RE) 1.4.2_14 (released March 16, 2007) package of which upgrading to the latest version, 10.0.2 (released Jul 17, 2018) will mitigate the vulnerabilities.


#4

I see it as a dependency of tinder xmpp library that we use, and to our IQUtils class and for all those libraries I see we use latest versions that are available (even though dom4j and xml-apis haven been update for a while, like since 2006). What are the CVE’s?

And for the moment we support running with java8 only.


#5

It’s somewhat of an exhaustive list, but here are some:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jre+1.4.2_14


#6

None of these can be a concern for the use of dom4j and the xmpp parsing, especially after the server had validated that xml…
So these are just general java4 problems and we are not using it, none of the jitsi components can operate normally using java different from java8.


#7

I understand, but it is compiled and built into the debian package (usr/share/jicofo/lib). I notice the dom4j version 1.6.1 is old, from May 2005, latest version is 2.1.1. Can it be upgraded? Or if it’s not utilized, then removed? I’m curious about removing them and rebuilding the deb package locally, unless they are required.


#8

They are required, you cannot remove it. If you wish to test whether it will work with the new version and provide a PR.
I see it is a dependency for one of the libraries we use, it can be that it is not compatible with it as dom4j’s major version had changed, so you can also report it there: https://github.com/igniterealtime/tinder/blob/master/pom.xml#L132