I too work with an organization that is a bit concerned about using a library with a 5-year old security issue. If the issue is a lack of volunteers, what can we do to help, especially given that the fix is already done? Do you need testers? People to build from source? Something else?
-Will Herrmann > As has been the case for a long time, Xerces-J 2.12.0 needs volunteers to > actually make this release happen. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > Gary Gregory <garydgreg...@gmail.com> wrote on 12/22/2017 01:46:28 PM: > > > Good question. Xerces has been rather... inactive :-( > > > > Gary > > > > On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler < > > yves.geissbueh...@incentage.com> wrote: > > Hi all, > > my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency > > Check [1] having the vulnerability CVE-2012-0881. > > > > After some investigation I found that CVE-2012-0881 has been indeed > > fixed and is scheduled to be released for Xerces-J 2.12.0 [2]. > > > > However, no specific release date is given [3]. > > > > Could you point me to a release schedule or do you know the release > date? > > > > Using libraries which contain vulnerabilities is not an option for > > my organisation. So, I'm hoping for a Xerces-J 2.11.0 release > > happening soonish. > > > > Best regards, > > Yves > > > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check > > [2] https://issues.apache.org/jira/browse/XERCESJ-1685 > > [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542 --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
