Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE


On Tue, Sep 5, 2017 at 8:17 PM, Brian de Alwis <briandealwis@xxxxxxxxx> wrote:
> Dear PMC,
> An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse
> Platform (  The Open
> Web Application Security Project (OWASP) has a page explaining the impacts
> of XXE vulnerabilities.
> A fix has been released for Photon to configure the relevant locations that
> parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING`
> feature which disables requesting external DTDs and schemas and limits
> entity processing. The JRE requires that all parsers support the
> Given that the fix is small, and a malicious p2 site could be assembled to
> obtain the content of local files, I'd like to request that we backport and
> include this fix for Oxygen.1.
> Brian.
> _______________________________________________
> eclipse-pmc mailing list
> eclipse-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit

Eclipse Platform UI and e4 project co-lead
CEO vogella GmbH

Haindaalwisch 17a, 22395 Hamburg
Amtsgericht Hamburg: HRB 127058
Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
USt-IdNr.: DE284122352
Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web:

Back to the top