Wayne,
I'll take it on.

On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton <
wayne.bea...@eclipse-foundation.org> wrote:

> From CVE-2022-23437:
>
> There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser
>> when handling specially crafted XML document payloads. This causes, the
>> XercesJ XML parser to wait in an infinite loop, which may sometimes consume
>> system resources for prolonged duration. This vulnerability is present
>> within XercesJ version 2.12.1 and *the previous versions*.
>
>
> More here:
>
>    - https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
>    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437
>
> This particular version is in Orbit and in the Simultaneous Release. It
> appears that version 2.9 is also in the simultaneous release. According to
> the alert all versions are affected.
>
> According to the CQ record, several projects on the simultaneous release
> are using affected versions.
>
> If anybody from EclipseLink is monitoring this channel, you have a CQ for
> this library, but I haven't found it in your builds yet. You should
> probably also have a look.
>
> It seems that the reasonable mitigation strategy is to update to 2.12.2,
> but we'll need somebody to take the lead on that. Any volunteers?
>
> Wayne
> --
>
> Wayne Beaton
>
> Director of Open Source Projects | Eclipse Foundation
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>


-- 
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to