JAXP and TrAX became the javax.* package. This provides factory methods for creating XML parsers and transformers, and can be told which implementation to use by setting environment variables/Java Properties/config file values. "Product" JREs have been shipping with a default configuration which uses a "shaded" (renamed) copy of the Apache code as the default, but you can override it to use the "real" org.apache code.
Note that in this setup, if you explicitly reference org.aoache.* classes, you will get the official Apache release on your classpath. Of course if you directly reference the renamed versions, or leave the Java factories pointed to them, that's what you'll get instead. We have no ability to maintain those directly; the JRE teams have to pick up desired changes from us or do it themselves (preferably telling us so we can consider adopting similar changes). A bit confusing, but a huge improvement over the early versions, when Java embedded Xalan and Xerces without renaming them and without the factory layer. We used to have to either use the BootClasspath or Endorsed Libraries to bypasd that, or "neuter" the JREs, to run with the official Apache code. Goodbye to that, and good riddance. -- /_ Joe Kesselman (he/him/his) -/ _) My Alexa skill for New Music/New Sounds fans: / https://www.amazon.com/dp/B09WJ3H657/ Caveat: Opinionated old geezer with overcompensated writer's block. May be redundant, verbose, prolix, sesquipedalian, didactic, officious, or redundant. ________________________________ From: Gary Gregory <garydgreg...@gmail.com> Sent: Saturday, April 13, 2024 3:29:04 PM To: manikanta tikkisetty <manikantatikkisetty...@gmail.com> Cc: j-users@xalan.apache.org <j-users@xalan.apache.org> Subject: Re: CVE-2022-34169 Hello Mani, We have no control over what Java vendors bundles into their platforms. You can't really safely edit a Java installation but different versions of Java let you specify which JAXP implementation to use. You can also hard code an application but that not very flexible. Gary On Sat, Apr 13, 2024, 2:53 PM manikanta tikkisetty <manikantatikkisetty...@gmail.com<mailto:manikantatikkisetty...@gmail.com>> wrote: Hi, Jdk bundle contains xalan 2.7.0 version as part of rt.jar . How can I update xalan version to 2.7.3 to resolve vulnerability. Thanks & Regards, Mani.
