Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central.
On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai <thatnit...@gmail.com> wrote: > Wayne, > I'll take it on. > > On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton < > wayne.bea...@eclipse-foundation.org> wrote: > >> From CVE-2022-23437: >> >> There's a vulnerability within the Apache Xerces Java (XercesJ) XML >>> parser when handling specially crafted XML document payloads. This causes, >>> the XercesJ XML parser to wait in an infinite loop, which may sometimes >>> consume system resources for prolonged duration. This vulnerability is >>> present within XercesJ version 2.12.1 and *the previous versions*. >> >> >> More here: >> >> - https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl >> - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 >> >> This particular version is in Orbit and in the Simultaneous Release. It >> appears that version 2.9 is also in the simultaneous release. According to >> the alert all versions are affected. >> >> According to the CQ record, several projects on the simultaneous release >> are using affected versions. >> >> If anybody from EclipseLink is monitoring this channel, you have a CQ for >> this library, but I haven't found it in your builds yet. You should >> probably also have a look. >> >> It seems that the reasonable mitigation strategy is to update to 2.12.2, >> but we'll need somebody to take the lead on that. Any volunteers? >> >> Wayne >> -- >> >> Wayne Beaton >> >> Director of Open Source Projects | Eclipse Foundation >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > > > -- > Regards, > Nitin Dahyabhai > Eclipse WTP PMC > -- Regards, Nitin Dahyabhai Eclipse WTP PMC
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
