Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Xerces updated to 2.12.2 (CVE-2022-23437)

IMHO it's high time to drop the old CVS coming artifacts and the composite repo and Orbit becomes a current only. There are many other vulnerable things in these old libraries too. Projects that don't want to move can still point to old releases.

On Mon, Jan 31, 2022 at 10:58 AM Pierre-Charles David <pierre-charles.david@xxxxxxx> wrote:

As mentioned by Wayne on cross-projects [1], all versions of Xerces up
to 2.12.1 were vulnerable to CVE-2022-23437 [2].
The Xerces team has released a new 2.12.2 version which fixes the issue
[3], and this has been published on Maven Central [4].

I took the liberty to merge the upgrade in orbit-recipes [5] as this is
a security issue. Feel free to revert/update if you believe there is an
issue with the patch.

I could not find much published details about the actual security issue,
but from a look at the Xerces source it is related to the use of
carriage return characters at the end of XML entities:

There does not seem to be any other significant change in 2.12.2
compared to the 2.12.1 we published before (it's mostly documentation
changes and error messages improvements).

Note that even with the patch, the full Orbit repo still also contains
Xerces 2.9 (it's aggregated from the older Orbit repo at,
which is probably vulnerable.

Pierre-Charles David (Obeo)


Pierre-Charles David (Obeo)

orbit-dev mailing list
To unsubscribe from this list, visit

Aleksandar Kurtakov
Red Hat Eclipse Team

Back to the top