Wayne, I'll take it on. On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton < wayne.bea...@eclipse-foundation.org> wrote:
> From CVE-2022-23437: > > There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser >> when handling specially crafted XML document payloads. This causes, the >> XercesJ XML parser to wait in an infinite loop, which may sometimes consume >> system resources for prolonged duration. This vulnerability is present >> within XercesJ version 2.12.1 and *the previous versions*. > > > More here: > > - https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl > - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 > > This particular version is in Orbit and in the Simultaneous Release. It > appears that version 2.9 is also in the simultaneous release. According to > the alert all versions are affected. > > According to the CQ record, several projects on the simultaneous release > are using affected versions. > > If anybody from EclipseLink is monitoring this channel, you have a CQ for > this library, but I haven't found it in your builds yet. You should > probably also have a look. > > It seems that the reasonable mitigation strategy is to update to 2.12.2, > but we'll need somebody to take the lead on that. Any volunteers? > > Wayne > -- > > Wayne Beaton > > Director of Open Source Projects | Eclipse Foundation > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Regards, Nitin Dahyabhai Eclipse WTP PMC
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev