[jira] [Commented] (XERCESJ-1722) Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution

Sat, 20 Jun 2020 01:26:48 -0700 


    [ 
https://issues.apache.org/jira/browse/XERCESJ-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17141008#comment-17141008
 ] 

Olivier Jaquemet commented on XERCESJ-1722:
-------------------------------------------

Thank you for you answer [~mukul_gandhi]

When i created this issue, it was not in the goal to obtain a solution (as I 
had obviously used the 2.7.2 version), but just as an information to the 
xerces-j team so it could get fixed..

You say : "The above, I think shall imply, that the information provided within 
the mentioned CVE is not 100% reliable to act on it."
When it comes to security, my opinion is "in doubt, fix it."

> Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
> -----------------------------------------------------------------------
>
>                 Key: XERCESJ-1722
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1722
>             Project: Xerces2-J
>          Issue Type: Bug
>          Components: Serialization
>    Affects Versions: 2.12.1
>            Reporter: Olivier Jaquemet
>            Priority: Major
>
> The following jars are bundled in the Xerces-J 2.12.1 binary distribution : 
> {{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 
> resolver.jar}}
> {{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391 
> serializer.jar*}}
> {{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad 
> xml-apis.jar}}
> Extracting information from the MANIFEST : 
>  * resolver.jar / Implementation-Version: 1.2
>  * *serializer.jar / Implementation-Version: 2.7.1*
>  * xml-apis.jar / Implementation-Version: 1.4.01
> Problem :
> If it IS the xalan serializer 2.7.1 (which I could not confirmed from the 
> hash), this version is vulnerable to CVE-2014-0107 :
> [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
> Xalan 2.7.2 was released in April 2014 and should probably be included to 
> prevent uninformed user to rely the whole Xerces-J distribution. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to