[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
|
Le 27/01/2022 à 01:25, Nitin Dahyabhai
a écrit :
Of course, only now do I remember how much effort
Aurélien had to go through just to get the then-current version
onto Maven Central.
According to https://issues.apache.org/jira/browse/XERCESJ-1735
it is now available at
https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/
I've proposed a patch to make the update in Orbit:
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077
From CVE-2022-23437:
There's a
vulnerability within the Apache Xerces Java (XercesJ)
XML parser when handling specially crafted XML
document payloads. This causes, the XercesJ XML parser
to wait in an infinite loop, which may sometimes
consume system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1
and the previous versions.
More here:
This particular version is in Orbit and in the
Simultaneous Release. It appears that version 2.9 is
also in the simultaneous release. According to the
alert all versions are affected.
According to the CQ record, several projects on
the simultaneous release are using affected
versions.
If anybody from EclipseLink is monitoring this
channel, you have a CQ for this library, but I
haven't found it in your builds yet. You should
probably also have a look.
It seems that the reasonable mitigation strategy
is to update to 2.12.2, but we'll need somebody to
take the lead on that. Any volunteers?
Wayne
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Pierre-Charles David (Obeo)