Hi, I think that CVE originated from the JDK but very likely corresponds to this change [1] in Xerces which also happens to be a performance improvement. It would be included in the next release (no outlook on that yet). Users can apply this patch to the source if they need a fix earlier than that.
Thanks. [1] http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?annotate=1499506 Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected] David Dillard <[email protected]> wrote on 09/30/2014 09:59:24 AM: > Hi, > > I noticed that Red Hat just released a fix for CVE-2013-4002 ( > https://access.redhat.com/security/cve/CVE-2013-4002). I was > wondering when a fix for this might be released by the project > itself. I searched through the mailing list archive looking for > some mention of it, but didn’t see anything. However, as it’s a > security issue it may not have been discussed publicly. > > --- David
