From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 04 06:25:36 2022 Received: (at 55776) by debbugs.gnu.org; 4 Jun 2022 10:25:37 +0000 Received: from localhost ([127.0.0.1]:57706 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nxQyO-0002GO-KE for submit@debbugs.gnu.org; Sat, 04 Jun 2022 06:25:36 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nxQyL-0002G1-Ew for 55776@debbugs.gnu.org; Sat, 04 Jun 2022 06:25:34 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 58DD75C00FF; Sat, 4 Jun 2022 06:25:26 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Sat, 04 Jun 2022 06:25:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=remworks.net; h= cc:cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm3; t=1654338326; x=1654424726; bh=teJzfJ0NsK QPdNaBRQMfJC5G44UxJFHerZTSpuK5KZ0=; b=vtlbX30a/nWfEEKhBM3g+GHABA jOYVlmfPFzjQmm3qHjQQK9D7cfUzSxOFozo4+fAbHdw1FPN+l2SRwmi7Ri4kpfiP +KLEM2ipAFrdAJ3Mi9HSwiRiwC2L8ZgRQ3Aj3N4bDaL4h3aLDZbBtnRBx1u0E9iE krNY5YOr79fAxqUyDBNMQNez/KUAvkRDW7ha+VOwiuUwM40DnC4/GXkxN/muuOj9 QDmEU6uMA0UijgncfyaE0IhRVpiNvSK44Rrchd766tTs7SHDmmxKA98vrOXbgFDC 6kLf0sswVVbKQy2rSf6buy6mynFButGe7htK0E+YH+rSxXbMTy58kBnUTRMw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1654338326; x=1654424726; bh=teJzfJ0NsKQPdNaBRQMfJC5G44Ux JFHerZTSpuK5KZ0=; b=q5Q2f+v18Xb2fZQ2pYljMjTE/ZpKr4cokMNYRIpA3y9A RBV6ybETZI80x7GAvYICSSXDExFfPLFpgc90ocgp/7xqOltfitGtWcjvKH8/Yeie jVb7eky7GUf8hibPHn/Kev/ra+1BUZffDe7L3tCHalB+V62qTTPvnJCzNTOJwQeM 3MvH5RyMMWiRYh0/0rgGNZDL/YDZ/CEi98uyZpnAl2sm6BRv61jISqZiwXRZlRCj jPuwUgcbGu0JRIXMBLew7C3YrlYJgUYfwTcUlL5PayPTcyQTXFLO9BuW9Aa4C4lv iohuxlQoWDGs7/In9+5aA0WOgalXFd7935kqDhRDyQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrleekgddvjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufhfffgjkfgfgggtsehttdertddtredtnecuhfhrohhmpeftvghmtgho uchvrghnucdkthcugggvvghruceorhgvmhgtohesrhgvmhifohhrkhhsrdhnvghtqeenuc ggtffrrghtthgvrhhnpeeuheegvdeujeffjefhvefgudekvdeifeduledtgfejfeehjeff fefhheefffegieenucffohhmrghinhepgihmlhdrohhrghdpghhithhhuhgsrdgtohhmpd hhthhtphhrvghquhgvshhtrdgrthenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpehrvghmtghosehrvghmfihorhhkshdrnhgvth X-ME-Proxy: Feedback-ID: i568842cc:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 4 Jun 2022 06:25:25 -0400 (EDT) From: Remco van 't Veer To: 55776@debbugs.gnu.org Subject: Re: bug#55776: maven-core fails to build References: <87sfomwaa6.fsf@web.de> Date: Sat, 04 Jun 2022 12:25:21 +0200 In-Reply-To: <87sfomwaa6.fsf@web.de> (Arne Babenhauserheide's message of "Fri, 03 Jun 2022 08:05:02 +0200") Message-ID: <87wndwn2su.fsf@remworks.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 55776 Cc: "Dr. Arne Babenhauserheide" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) I did some digging and found this regression is caused by commit: 6068b83b82475566acd4162467bcf54270f338f9 "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]." Apparently the fix for this issue causes jdom to be very strict; > java.io.IOException: Invalid input descriptor for merge: > /tmp/plexus-metadata3957336728290309540xml --> > http://xml.org/sax/features/external-general-entities feature > http://xml.org/sax/features/external-general-entities not supported > for SAX driver org.codehaus.plexus.metadata.merge.Driver Which sound familiar when looking at that CVE (https://github.com/advisories/GHSA-2363-cqg2-863c): > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to > cause a denial of service via a crafted HTTP request. At this time > there is not released fixed version of JDOM. As a workaround, to avoid > external entities being expanded, one can call > builder.setExpandEntities(false) and they won't be expanded. I dunno how to fix this though, I'm just a curious guixer. Easiest path seems to be to make a new java-jdom-2.0.6 var and use that as a native-input for maven. Would that be an acceptable solution? Cheers, Remco