[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
|
Le 27/01/2022 à 17:17, Pierre-Charles
David a écrit :
Le 27/01/2022 à 01:25, Nitin
Dahyabhai a écrit :
Of course, only now do I remember how much effort
Aurélien had to go through just to get the then-current
version onto Maven Central.
According to https://issues.apache.org/jira/browse/XERCESJ-1735
it is now available at https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/
I've proposed a patch to make the update in Orbit: https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077
The patch has been merged. A Orbit I-build with Xerces 2.12.2
(instead of 2.12.1) is available at
https://download.eclipse.org/tools/orbit/downloads/drops/I20220131095416/repository/.
Note that because of the way Orbit repos are built, this also
includes the much older Xerces 2.9, which from the CVE is also
affected by the vulnerability and should be avoided.
From CVE-2022-23437:
There's a
vulnerability within the Apache Xerces Java
(XercesJ) XML parser when handling specially crafted
XML document payloads. This causes, the XercesJ XML
parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged
duration. This vulnerability is present within
XercesJ version 2.12.1 and the previous versions.
More here:
This particular version is in Orbit and in the
Simultaneous Release. It appears that version 2.9
is also in the simultaneous release. According to
the alert all versions are affected.
According to the CQ record, several projects on
the simultaneous release are using affected
versions.
If anybody from EclipseLink is monitoring this
channel, you have a CQ for this library, but I
haven't found it in your builds yet. You should
probably also have a look.
It seems that the reasonable mitigation
strategy is to update to 2.12.2, but we'll need
somebody to take the lead on that. Any volunteers?
Wayne
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Pierre-Charles David (Obeo)
--
Pierre-Charles David (Obeo)