org.jxmpp libraries are not affected by CVE-2014-0363, CVE-2014-0364 or CVE-2016-10027

[balgillo]

Vulnerability URL Provide the URL to the vulnerability.

• https://ossindex.sonatype.org/vulnerability/998dd786-1f3b-48de-8b52-6b39ade8281f?component-type=maven&component-name=org.jxmpp.jxmpp-jid
• https://ossindex.sonatype.org/vulnerability/998dd786-1f3b-48de-8b52-6b39ade8281f?component-type=maven&component-name=org.jxmpp.jxmpp-jid
• https://ossindex.sonatype.org/vulnerability/ce98a98a-a0c8-46a6-82d7-f9fd3be0e1c0?component-type=maven&component-name=org.jxmpp.jxmpp-jid

Component URL Provide the URL to the component.

• https://ossindex.sonatype.org/component/pkg:maven/org.jxmpp/jxmpp-core@1.0.1
• https://ossindex.sonatype.org/component/pkg:maven/org.jxmpp/jxmpp-jid@1.0.1
• https://ossindex.sonatype.org/component/pkg:maven/org.jxmpp/jxmpp-stringprep-libidn@1.0.1
• https://ossindex.sonatype.org/component/pkg:maven/org.jxmpp/jxmpp-util-cache@1.0.1

Description

These vulnerabilities affected old versions of Smack library, a different org.igniterealtime project. It looks like the same version numbering has been assumed for org.jxmpp projects, because the page says that this affects versions up to 4.0. But the latest is 1.0.2.

[ken-duck]

Thanks for the heads up. OSS Index assigned the vulnerabilities based on the jxmpp-* packages in maven claiming that their sources were here: https://github.com/igniterealtime/Smack

Where indeed the sources should have been here: https://github.com/igniterealtime/jxmpp/releases

We have fixed this in our local data and it should be public in OSS Index by sometime tomorrow.

[balgillo]

Great, thanks for addressing this. I can see it's corrected now.