Release Notes / Version 11.2310
Table Of ContentsBanned Dependency: net.sf.jtidy:jtidy
pkg:maven/net.sf.jtidy:jtidy@r938
is affected by
CVE-2023-34623
, a possible denial-of-service (DoS)
attack with deeply nested DOM structures.
We validated that the deprecated CoreMedia Site Manager application is affected, as soon as authorized editors or services add rich text documents containing deeply nested DOM nodes.
As only the deprecated application is affected, which is only open for administrative usage, we took the following countermeasures:
We banned
net.sf.jtidy:jtidy
as dependency on global scope.We only allowed
net.sf.jtidy:jtidy
for modules havingcom.coremedia.blueprint:site-manager.blueprint-parent
as parent by configuring correspondingbannedDependenciesIncludes
property.
If your Blueprint customizations are affected by this change, you have the following options:
Include the banned dependency for your module by corresponding configuration.
Evaluate, if
com.github.jtidy:jtidy
is suitable for your needs. According to the release notes, it resolvesCVE-2023-34623
with 1.0.4 and introduced HTML5-support with previous version 1.0.3.
(CMS-23203)
Removed transitive dependency snappy-java
snappy-java
is a dependency of Zookeeper, which is
used by Solr for SolrCloud. It's not used for the Solr standalone or
Solr Leader/Follower setup. The latter is used in CMCC/S, hence it's
not actually needed and was removed to avoid (false-positive) CVE
reports for that dependency.
(CMS-23169)
Removal of Elastic Social models from search index
Models are now removed from the search index, if Model#remove() is invoked and a corresponding search index exists.
(CMS-21419)