Security issues in `pom.xml`

OCR4all / LAREX

A semi-automatic open-source tool for Layout Analysis and Region EXtraction on early printed books.

MIT License

177 stars 33 forks source link

Security issues in `pom.xml` #299

Closed DemiMarie closed 2 years ago

DemiMarie commented 2 years ago

I noticed that the pom.xml uses insecure HTTP, which is a bad idea. It also should ensure that it does not depend on a Log4J version vulnerable to Log4Shell.

maxnth commented 2 years ago

I noticed that the pom.xml uses insecure HTTP

I just updated the links to our artifactory in the pom.xml to https, thank you for the hint (0c5ddf370ced5c0a426d47d5cd3b92def917cbea)

It also should ensure that it does not depend on a Log4J version vulnerable to Log4Shell.

We checked for this the day the exploit was published and luckily couldn't find any usage of Log4j, neither for LAREX directly nor for our docker setup.

DemiMarie commented 2 years ago

Thanks for the quick response @maxnth!