CVE-2023-4759 fix for 5.x version? - Githubissues

eclipse-jgit / jgit

JGit, the Java implementation of git

https://www.eclipse.org/jgit/

Other

127 stars 37 forks source link

CVE-2023-4759 fix for 5.x version? #30

Closed huangfeng212 closed 7 months ago

huangfeng212 commented 7 months ago

Description

Will there be fix of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4759 for the 5.x version? I see from maven central there is no fix https://mvnrepository.com/artifact/org.eclipse.jgit/org.eclipse.jgit. However our project staying with java8 and can not use the 6.x version

I found this thread https://www.eclipse.org/forums/index.php/m/1862132/?srch=CVE-2023-4759#msg_1862132 and according to that, the new 5.13.3 should have the cve fixed, but from the maven-central, it still shows that version has the cve. I also encountered same error when I build my project, I think the authority at https://nvd.nist.gov/vuln/detail/CVE-2023-4759 need to update that this 5.13.3 version is also a fixed version. https://nvd.nist.gov/vuln/detail/CVE-2023-4759

Motivation

Can't find a CVE free version for 5.x(java8)

Alternatives considered

No response

Additional context

No response

tomaswolf commented 7 months ago

5.13.3 has that CVE fixed.

As you wrote, NIST should update the listing. We did send an update request, but they say "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided."

There's nothing more we can do.