Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE

> Can someone from the Eclipse PMC mark the bug as PMC approved.

Done

On Wed, Sep 6, 2017 at 3:36 PM, Thomas Watson <tjwatson@xxxxxxxxxx> wrote:
> Can someone from the Eclipse PMC mark the bug as PMC approved.  I want to
> make sure we are explicit in the request to spin an RC4 for Oxygen.1 on this
> issue.
>
> Actually if you are not an equinox committer you may not have access to the
> security bug? But I know at least Alex should be able to approve.
>
> Tom
>
>
>
>
> ----- Original message -----
> From: Lars Vogel <lars.vogel@xxxxxxxxxxx>
> Sent by: eclipse-pmc-bounces@xxxxxxxxxxx
> To: eclipse-pmc@xxxxxxxxxxx
> Cc:
> Subject: Re: [eclipse-pmc] Timing for fix for Bug 518031: XML External
> Entity Vulnerability in Eclipse IDE
> Date: Wed, Sep 6, 2017 1:56 AM
>
> +1
>
> On Tue, Sep 5, 2017 at 8:17 PM, Brian de Alwis <briandealwis@xxxxxxxxx>
> wrote:
>> Dear PMC,
>>
>> An XML External Entity Vulnerability (XXE) bug was identified in the
>> Eclipse
>> Platform
>> (https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.eclipse.org_bugs_show-5Fbug.cgi-3Fid-3D518031&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=iomWhy6ev12RdPFPYDLehPqlQJ-BwH-oDncOR44Z2B0&e=
>> ).  The Open
>> Web Application Security Project (OWASP) has a page explaining the impacts
>> of XXE vulnerabilities.
>>
>> A fix has been released for Photon to configure the relevant locations
>> that
>> parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING`
>> feature which disables requesting external DTDs and schemas and limits
>> entity processing. The JRE requires that all parsers support the
>> `XMLConstants.FEATURE_SECURE_PROCESSING` feature.
>>
>> Given that the fix is small, and a malicious p2 site could be assembled to
>> obtain the content of local files, I'd like to request that we backport
>> and
>> include this fix for Oxygen.1.
>>
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__git.eclipse.org_r_104388&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=gQq26Bpp_7vW9n7rCKM0yp7dsc2sfjIs5U0i-YW_rFU&e=
>>
>> Brian.
>>
>> _______________________________________________
>> eclipse-pmc mailing list
>> eclipse-pmc@xxxxxxxxxxx
>> To change your delivery options, retrieve your password, or unsubscribe
>> from
>> this list, visit
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_eclipse-2Dpmc&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=T1ZFGiRGEYCrMsE4tmYPDr1KB6uwkDWxc193gWnXou0&e=
>
>
>
> --
> Eclipse Platform UI and e4 project co-lead
> CEO vogella GmbH
>
> Haindaalwisch 17a, 22395 Hamburg
> Amtsgericht Hamburg: HRB 127058
> Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
> USt-IdNr.: DE284122352
> Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.vogella.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=x62N5mvmXiCYaEk1lzMPFzh3Vv5gQczS1pPFihR9wV0&e=
> _______________________________________________
> eclipse-pmc mailing list
> eclipse-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_eclipse-2Dpmc&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=T1ZFGiRGEYCrMsE4tmYPDr1KB6uwkDWxc193gWnXou0&e=
>
>
>
>
> _______________________________________________
> eclipse-pmc mailing list
> eclipse-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/eclipse-pmc



-- 
Eclipse Platform UI and e4 project co-lead
CEO vogella GmbH

Haindaalwisch 17a, 22395 Hamburg
Amtsgericht Hamburg: HRB 127058
Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
USt-IdNr.: DE284122352
Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web: http://www.vogella.com


Back to the top