/jflex

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JFlex depends on unsafe ant@1.7.0 #294

Closed
regisd opened this Issue Aug 30, 2018 · 0 comments

Comments

Assignees

@regisd regisd

Labels
Projects
  
Open bugs in JFlex core
  
Done in ant task
Milestone
  1.7.0
1 participant
@regisd
@regisd
Member

regisd commented Aug 30, 2018

There is a dependency de.jflex:jflex@1.6.1 → org.apache.ant:ant@1.7.0
ant@1.7.0 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEANT-30510

@regisd regisd added the security label Aug 30, 2018

@regisd regisd self-assigned this Aug 30, 2018

regisd added a commit to regisd/jflex that referenced this issue Aug 30, 2018

@regisd
Update ant to 1.7.0 -> 1.10.5 
Fix issue jflex-de#294
e533eca

@regisd regisd added this to the 1.7.0 milestone Aug 30, 2018

@regisd regisd referenced this issue Aug 30, 2018

Merged

Update ant to 1.7.0 -> 1.9.7 #295

regisd added a commit that referenced this issue Aug 31, 2018

@regisd
Update ant to 1.7.0 → 1.9.7 (#295) 
* Update ant to 1.7.0 → 1.10.5

Fix Security vulenrability (DoS) #294
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
0a7d966

@regisd regisd closed this Sep 3, 2018

@regisd regisd added this to Open bugs in JFlex core via automation Sep 30, 2018

@regisd regisd added this to To do in ant task via automation Sep 30, 2018

@regisd regisd moved this from To do to Done in ant task Sep 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment