Would it be possible for you to connect me with these people so I can discuss it with them directly?
From: Michael Glavassevich [mailto:[email protected]] Sent: Tuesday, May 22, 2018 12:14 PM To: [email protected] Cc: [email protected]; [email protected]; [email protected] Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release CVE-2018-2799 was the only one we asked about, but it was security@'s opinion that we didn't need a new CVE for that one. Honestly, this isn't a subject I know much about. I think if this had been reported through the security team (under the assumption it was a newly discovered issue), following through the process [1] a new CVE would have been requested. Thanks. [1] https://www.apache.org/security/committers.html Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected]<mailto:[email protected]> E-mail: [email protected]<mailto:[email protected]> David Dillard <[email protected]<mailto:[email protected]>> wrote on 05/22/2018 11:20:08 AM: > From: David Dillard > <[email protected]<mailto:[email protected]>> > To: "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>>, "j- > [email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Cc: "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>>, > "[email protected]<mailto:[email protected]>" > <[email protected]<mailto:[email protected]>> > Date: 05/22/2018 11:30 AM > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > Hi Michael, > > That’s ok for CVE-2012-0881, though the CPEs (affected software and > versions) should be updated to reflect that the issue was fixed in > 2.12.0. I’m happy to send that request in if you like. > > However, for CVE-2013-4002 and CVE-2018-2799 I’m going to disagree , > as neither of them even mentions Xerces. As is, the only way anyway > would know that those two vulnerabilities were fixed in Xerces is to > read the Xerces release announcement. So, if someone relies on > tools like Dependency Check, Black Duck or White Source (which can > scan jars for known vulnerabilities) there’d be no issue flagged for > Xerces 2.11.0 or earlier. That’s bad. I don’t think updating the > CPEs for either of those vulnerabilities is really an option and IBM > and Oracle issued them and the descriptions are specific to their > products. I think new CVEs are needed for these issues. > > Fixing vulnerabilities is obviously important, but making it easy > for people to know those vulnerabilities have been fixed is also important. > > > Regards, > > David > > > From: Michael Glavassevich [mailto:[email protected]] > Sent: Tuesday, May 22, 2018 9:52 AM > To: [email protected]<mailto:[email protected]> > Cc: [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]>; > [email protected]<mailto:[email protected]> > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > I thought the CVE was mentioned in the release announcement. > > The security team did eventually respond to us and said we shouldn't > need a new CVE since it's the same source code that's affected. > > Thanks. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: [email protected]<mailto:[email protected]> > E-mail: [email protected]<mailto:[email protected]>
