Hi Michael, That’s ok for CVE-2012-0881<https://nvd.nist.gov/vuln/detail/CVE-2012-0881>, though the CPEs (affected software and versions) should be updated to reflect that the issue was fixed in 2.12.0. I’m happy to send that request in if you like.
However, for CVE-2013-4002<https://nvd.nist.gov/vuln/detail/CVE-2013-4002> and CVE-2018-2799<https://nvd.nist.gov/vuln/detail/CVE-2018-2799> I’m going to disagree , as neither of them even mentions Xerces. As is, the only way anyway would know that those two vulnerabilities were fixed in Xerces is to read the Xerces release announcement. So, if someone relies on tools like Dependency Check, Black Duck or White Source (which can scan jars for known vulnerabilities) there’d be no issue flagged for Xerces 2.11.0 or earlier. That’s bad. I don’t think updating the CPEs for either of those vulnerabilities is really an option and IBM and Oracle issued them and the descriptions are specific to their products. I think new CVEs are needed for these issues. Fixing vulnerabilities is obviously important, but making it easy for people to know those vulnerabilities have been fixed is also important. Regards, David From: Michael Glavassevich [mailto:mrgla...@ca.ibm.com] Sent: Tuesday, May 22, 2018 9:52 AM To: j-users@xerces.apache.org Cc: j-...@xerces.apache.org; muk...@apache.org; priv...@xerces.apache.org Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release I thought the CVE was mentioned in the release announcement. The security team did eventually respond to us and said we shouldn't need a new CVE since it's the same source code that's affected. Thanks. Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com<mailto:mrgla...@ca.ibm.com> E-mail: mrgla...@apache.org<mailto:mrgla...@apache.org>