Of course, only now do I remember how much effort Aurélien had to go
through just to get the then-current version onto Maven Central.

On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai <thatnit...@gmail.com>
wrote:

> Wayne,
> I'll take it on.
>
> On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton <
> wayne.bea...@eclipse-foundation.org> wrote:
>
>> From CVE-2022-23437:
>>
>> There's a vulnerability within the Apache Xerces Java (XercesJ) XML
>>> parser when handling specially crafted XML document payloads. This causes,
>>> the XercesJ XML parser to wait in an infinite loop, which may sometimes
>>> consume system resources for prolonged duration. This vulnerability is
>>> present within XercesJ version 2.12.1 and *the previous versions*.
>>
>>
>> More here:
>>
>>    - https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
>>    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437
>>
>> This particular version is in Orbit and in the Simultaneous Release. It
>> appears that version 2.9 is also in the simultaneous release. According to
>> the alert all versions are affected.
>>
>> According to the CQ record, several projects on the simultaneous release
>> are using affected versions.
>>
>> If anybody from EclipseLink is monitoring this channel, you have a CQ for
>> this library, but I haven't found it in your builds yet. You should
>> probably also have a look.
>>
>> It seems that the reasonable mitigation strategy is to update to 2.12.2,
>> but we'll need somebody to take the lead on that. Any volunteers?
>>
>> Wayne
>> --
>>
>> Wayne Beaton
>>
>> Director of Open Source Projects | Eclipse Foundation
>> _______________________________________________
>> cross-project-issues-dev mailing list
>> cross-project-issues-dev@eclipse.org
>> To unsubscribe from this list, visit
>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>
>
>
> --
> Regards,
> Nitin Dahyabhai
> Eclipse WTP PMC
>


-- 
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Reply via email to