$ qlist arduino | grep jar /usr/share/arduino/lib/jna-platform-4.2.2.jar /usr/share/arduino/lib/jna-4.2.2.jar /usr/share/arduino/lib/arduino-core.jar /usr/share/arduino/lib/pde.jar /usr/share/arduino/lib/xmlgraphics-commons-2.0.jar /usr/share/arduino/lib/xml-apis-ext-1.3.04.jar /usr/share/arduino/lib/xml-apis-1.3.04.jar /usr/share/arduino/lib/slf4j-simple-1.7.22.jar /usr/share/arduino/lib/slf4j-api-1.7.22.jar /usr/share/arduino/lib/rsyntaxtextarea-3.0.3-SNAPSHOT.jar /usr/share/arduino/lib/jtouchbar-1.0.0.jar /usr/share/arduino/lib/jssc-2.8.0-arduino4.jar /usr/share/arduino/lib/jsch-0.1.50.jar /usr/share/arduino/lib/jmdns-3.5.5.jar /usr/share/arduino/lib/java-semver-0.8.0.jar /usr/share/arduino/lib/jackson-databind-2.9.5.jar /usr/share/arduino/lib/jackson-core-2.9.5.jar /usr/share/arduino/lib/jackson-annotations-2.9.5.jar /usr/share/arduino/lib/commons-net-3.3.jar /usr/share/arduino/lib/commons-logging-1.0.4.jar /usr/share/arduino/lib/commons-lang3-3.8.1.jar /usr/share/arduino/lib/commons-io-2.6.jar /usr/share/arduino/lib/commons-httpclient-3.1.jar /usr/share/arduino/lib/commons-exec-1.1.jar /usr/share/arduino/lib/commons-compress-1.8.jar /usr/share/arduino/lib/commons-codec-1.7.jar /usr/share/arduino/lib/bcprov-jdk15on-152.jar /usr/share/arduino/lib/bcpg-jdk15on-152.jar /usr/share/arduino/lib/batik-xml-1.8.jar /usr/share/arduino/lib/batik-util-1.8.jar /usr/share/arduino/lib/batik-transcoder-1.8.jar /usr/share/arduino/lib/batik-svgpp-1.8.jar /usr/share/arduino/lib/batik-svg-dom-1.8.jar /usr/share/arduino/lib/batik-squiggle-1.8.jar /usr/share/arduino/lib/batik-script-1.8.jar /usr/share/arduino/lib/batik-rasterizer-1.8.jar /usr/share/arduino/lib/batik-parser-1.8.jar /usr/share/arduino/lib/batik-gvt-1.8.jar /usr/share/arduino/lib/batik-ext-1.8.jar /usr/share/arduino/lib/batik-dom-1.8.jar /usr/share/arduino/lib/batik-css-1.8.jar /usr/share/arduino/lib/batik-codec-1.8.jar /usr/share/arduino/lib/batik-bridge-1.8.jar /usr/share/arduino/lib/batik-awt-util-1.8.jar /usr/share/arduino/lib/batik-anim-1.8.jar /usr/share/arduino/lib/batik-1.8.jar /usr/share/arduino/lib/apple.jar /usr/share/arduino/tools/WiFi101/tool/WiFi101.jar Most of them have up-to-date versions in the tree.
vaukai, security@ would be very grateful if you could track down the vulnerabilities here
(In reply to John Helmert III from comment #1) > vaukai, security@ would be very grateful if you could track down the > vulnerabilities here * /usr/share/arduino/lib/xmlgraphics-commons-2.0.jar CVE-2020-11988 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11988) * /usr/share/arduino/lib/batik-*-1.8.jar CVE-2020-11987 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987) * /usr/share/arduino/lib/jackson-databind-2.9.5.jar Direct vulnerabilities: CVE-2021-20190 CVE-2020-9548 CVE-2020-9547 CVE-2020-9546 CVE-2020-36518 CVE-2020-36188 CVE-2020-36186 CVE-2020-36184 CVE-2020-36182 CVE-2020-36180 CVE-2020-35491 CVE-2020-25649 CVE-2020-24616 CVE-2020-14062 CVE-2020-14060 CVE-2020-11619 CVE-2020-11112 CVE-2020-10969 CVE-2020-10673 CVE-2020-10650 CVE-2019-17531 CVE-2019-16943 CVE-2019-16335 CVE-2019-14892 CVE-2019-14439 CVE-2019-12814 CVE-2019-12086 CVE-2018-19361 CVE-2018-14721 CVE-2018-14719 CVE-2018-12023 CVE-2018-11307 (https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.5) * /usr/share/arduino/lib/bcprov-jdk15on-152.jar CVE-2020-15522 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522)
Actually, according to matthews on irc, there shouldn't be any security impact here. The package having so many vulnerable jar's is problematic, but not from a security perspective as it is not a problem with the trust model of the package.