Got security warning on JDom2 2.0.6: CVE-2021-33813

[steinarb]

I got a security warning on JDom 2.0.6, because of CVE-2021-33813: https://nvd.nist.gov/vuln/detail/CVE-2021-33813

From the severity of CVE-2021-33813 it looks like this is something that needs to be fixed.

[oosterholt]

A pull request is already created: #188

[hunterhacker]

If you call builder.setExpandEntities(false) then JDOM won't expand entities. The issue here is people may try to set this only via direct calls to the parser and not with the official JDOM solution (which takes precedence).

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

I intend to accept the pull request (doesn't hurt, small benefit) but I'm not sure I can push to Maven without either Rolf or a lot of trouble.

[oosterholt]

Any news on this? Did you accept the pull request and did you manage to push to maven?

[hunterhacker]

I accepted. I don't have the maven credentials since that was Rolf's business.

[oosterholt]

Ok. Nice. So, when can we expect a release?

[hunterhacker]

Maybe a non-maven for now?

[memonahad]

@hunterhacker any idea on when we could see an official Maven release with this fix?

[jcoker85]

@hunterhacker Also interested in a Maven release date as soon as possible. Thanks!

[albertus82]

@hunterhacker There are a lot of libs that ultimately depend on jdom2 and now every application that use one of them has CVE-2021-33813, so I hope that a Maven release will follow shortly. Thank you in advance.

[reactivejson]

@hunterhacker we are waiting for a maven release as well, thanks in advance!

[ar]

Hope you can consider the super simple PR #185 as part of the release.

It would make things easier for projects targeting JDK17.

[rolfl]

OK, folk, lots of catching up to do, a mail configuration SNAFU resulted in me missing notifications on JDOM for a while, and I have to collect some content together to push this through (and obviously work to ensure I am not a single point of failure on this process).

Please be patient while I work though all the checks/balances, and ensure all the parts align before pushing a new release.