close

Filter

loading table of contents...

Release Notes / Version 10.2107

Table Of Contents

CoreMedia Core

Updated JSON-Java

Updated JSON-Java from 20230227 to 20231013

(CMS-23648)

Updated Netty

Updated Netty to 4.1.100

(CMS-23625)

Banned Dependency: net.sf.jtidy:jtidy

pkg:maven/net.sf.jtidy:jtidy@r938 is affected by CVE-2023-34623 , a possible denial-of-service (DoS) attack with deeply nested DOM structures.

We validated that the deprecated CoreMedia Site Manager application is affected, as soon as authorized editors or services add rich text documents containing deeply nested DOM nodes.

As only the deprecated application is affected, which is only open for administrative usage, we took the following countermeasures:

  • We banned net.sf.jtidy:jtidy as dependency on global scope.

  • We only allowed net.sf.jtidy:jtidy for modules having com.coremedia.blueprint:site-manager.blueprint-parent as parent by configuring corresponding bannedDependenciesIncludes property.

If your Blueprint customizations are affected by this change, you have the following options:

  • Include the banned dependency for your module by corresponding configuration.

  • Evaluate, if com.github.jtidy:jtidy is suitable for your needs. According to the release notes, it resolves CVE-2023-34623 with 1.0.4 and introduced HTML5-support with previous version 1.0.3.

(CMS-23203)

Removed transitive dependency snappy-java

snappy-java is a dependency of Zookeeper, which is used by Solr for SolrCloud. It's not used for the Solr standalone or Solr Leader/Follower setup. The latter is used in CMCC/S, hence it's not actually needed and was removed to avoid (false-positive) CVE reports for that dependency.

(CMS-23169)

Updated Jetty to 9.4.51

Update Jetty from 9.4.48 to 9.4.51 to fix known CVEs

(CMS-22964)

Search Results

Table Of Contents