| Re: [orbit-dev] Xerces updated to 2.12.2 (CVE-2022-23437) |
Hi,
As mentioned by Wayne on cross-projects [1], all versions of Xerces up
to 2.12.1 were vulnerable to CVE-2022-23437 [2].
The Xerces team has released a new 2.12.2 version which fixes the issue
[3], and this has been published on Maven Central [4].
I took the liberty to merge the upgrade in orbit-recipes [5] as this is
a security issue. Feel free to revert/update if you believe there is an
issue with the patch.
I could not find much published details about the actual security issue,
but from a look at the Xerces source it is related to the use of
carriage return characters at the end of XML entities:
https://svn.apache.org/repos/asf/xerces/java/trunk@1897141
https://svn.apache.org/repos/asf/xerces/java/trunk@1897159
There does not seem to be any other significant change in 2.12.2
compared to the 2.12.1 we published before (it's mostly documentation
changes and error messages improvements).
Note that even with the patch, the full Orbit repo still also contains
Xerces 2.9 (it's aggregated from the older Orbit repo at
https://download.eclipse.org/tools/orbit/downloads/drops/R20201118194144/repository/plugins),
which is probably vulnerable.
Regards,
Pierre-Charles David (Obeo)
[1] https://www.eclipse.org/lists/cross-project-issues-dev/msg18920.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2022-23437
[3] https://www.openwall.com/lists/oss-security/2022/01/24/3
[4] https://issues.apache.org/jira/browse/XERCESJ-1735
[5] https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077
--
Pierre-Charles David (Obeo)
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev