| [orbit-dev] Xerces updated to 2.12.2 (CVE-2022-23437) |
Hi,As mentioned by Wayne on cross-projects [1], all versions of Xerces up to 2.12.1 were vulnerable to CVE-2022-23437 [2]. The Xerces team has released a new 2.12.2 version which fixes the issue [3], and this has been published on Maven Central [4].
I took the liberty to merge the upgrade in orbit-recipes [5] as this is a security issue. Feel free to revert/update if you believe there is an issue with the patch.
I could not find much published details about the actual security issue, but from a look at the Xerces source it is related to the use of carriage return characters at the end of XML entities:
https://svn.apache.org/repos/asf/xerces/java/trunk@1897141 https://svn.apache.org/repos/asf/xerces/java/trunk@1897159There does not seem to be any other significant change in 2.12.2 compared to the 2.12.1 we published before (it's mostly documentation changes and error messages improvements).
Note that even with the patch, the full Orbit repo still also contains Xerces 2.9 (it's aggregated from the older Orbit repo at https://download.eclipse.org/tools/orbit/downloads/drops/R20201118194144/repository/plugins), which is probably vulnerable.
Regards, Pierre-Charles David (Obeo) [1] https://www.eclipse.org/lists/cross-project-issues-dev/msg18920.html [2] https://nvd.nist.gov/vuln/detail/CVE-2022-23437 [3] https://www.openwall.com/lists/oss-security/2022/01/24/3 [4] https://issues.apache.org/jira/browse/XERCESJ-1735 [5] https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077 -- Pierre-Charles David (Obeo)