Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.14.21, 2.15.0
-
2
-
Yes
-
NXRM Immortals Sprint 29
-
3
-
non-concept
-
3
Description
Eclipse Jetty upgrade (NEXUS-21370) has initiated an xstream dependency change from
<groupId>org.sonatype.nexus.xstream</groupId> <artifactId>xstream</artifactId> <version>1.4.6-SONATYPE-03</version>
to
<groupId>com.thoughtworks.xstream</groupId> <artifactId>xstream</artifactId> <version>1.4.16</version>
The custom Sonatype dependency in previous releases was to work around a known security vulnerability as described in these articles:
- https://support.sonatype.com/hc/en-us/articles/213465938-CVE-2014-0792-Nexus-Repository-Manager-2-xstream-Remote-Code-Execution-2014-01-09
- https://support.sonatype.com/hc/en-us/articles/213464858-Configuring-XStream-Whitelist
Now official xstream has switched to a whitelist approach by default. ( see https://x-stream.github.io/changes.html )
Expected
1. Determine the optimal version of xstream to upgrade into and explain why.
2. Make any documentation changes in KB articles describing the impacts if any in using the new release of repo 2 with the xstream dependency upgrade.
Attachments
Issue Links
- causes
-
-
- Closed
-
- is related to
-
NEXUS-21370 Upgrade Eclipse Jetty 8 to Jetty 9 in Repository 2
-
- Closed
-
