Given that this is in the same group id as the base package do you know if this has been fixed and if so do you know of a fix commit?

Hi @darakian,

do you know if this has been fixed and if so do you know of a fix commit?

Not as yet. There is one later version available in the Maven Central Repo (1.1.0), but I was not able to get the proof-of-vulnerability test code to run on it at all.

If it would help I can try harder to get this running? That would tell us whether there it's fixed there or not.

Hi @darakian,

We were able to confirm that the next (and only) version available on the Maven Central Repo, namely 1.1.0, is not vulnerable, so I've added a "fixed": "1.1.0" entry in b236a07. Is this PR now good to go?

We confirmed this by manually tweaking the PoV pom.xml -- I've put the working version at https://github.com/jensdietrich/xshady-release/tree/main/CVE-2016-5394/NOT-VULNERABLE/org.apache.sling__org.apache.sling.xss.compat__1.1.0. Gory details in jensdietrich/xshady-release#2 (comment) and later comments.

Well, I'd like to find a fix commit in the source code if possible, but looking at the commit log it seems like possibly this one
apache/sling-org-apache-sling-xss@de32b14
Does that align with what you're seeing?

@darakian Yes it does, based on eyeballing the diff for pom.xml -- thank you for that! Also we know that the version mentioned in the commit message, 1.0.18, is not vulnerable since the vulnerability was fixed in 1.0.12 of org.apache.sling:org.apache.sling.xss.

OTOH I notice your link shows me "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository". But if you're happy with that, we're happy!

I think the git issues stem from the github repo being a mirror of an svn repo
http://svn.apache.org/viewvc/sling/tags/org.apache.sling.xss.compat-1.1.0/

Comparing the 1.1.0 and 1.0.0 tags shows a single commit with no diff
apache/sling-org-apache-sling-xss@org.apache.sling.xss.compat-1.1.0...org.apache.sling.xss.compat-1.0.0

@darakian I see the same empty diff as you, however if I manually look at the top-level pom.xml file at each revision, I see differences between them:

• Tag org.apache.sling.xss.compat-1.0.0 is 8ea6e85
  • line 35 in 8ea6e85 says 1.0.0
• Tag org.apache.sling.xss.compat-1.1.0 is 5d1d041
  • line 35 in 5d1d041 says 1.1.0

@darakian I just changed ... to .. in the comparison URL and now I can see the differences I was expecting: https://github.com/apache/sling-org-apache-sling-xss/compare/org.apache.sling.xss.compat-1.1.0..org.apache.sling.xss.compat-1.0.0

My guess is the SVN import means there's no well-defined "merge base" for the 3-dot form to use?

Oh interesting. Ya, that's a reasonable assumption. I'm not super familiar with the difference between the two forms, but that's an aside for sure. Thanks for digging into this with me 👍

Hi @wtwhite! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!