CVE-2018-2799 was the only one we asked about, but it was security@'s opinion that we didn't need a new CVE for that one. Honestly, this isn't a subject I know much about. I think if this had been reported through the security team (under the assumption it was a newly discovered issue), following through the process [1] a new CVE would have been requested.
Thanks. [1] https://www.apache.org/security/committers.html Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org David Dillard <david.dill...@veritas.com> wrote on 05/22/2018 11:20:08 AM: > From: David Dillard <david.dill...@veritas.com> > To: "j-...@xerces.apache.org" <j-...@xerces.apache.org>, "j- > us...@xerces.apache.org" <j-users@xerces.apache.org> > Cc: "muk...@apache.org" <muk...@apache.org>, > "priv...@xerces.apache.org" <priv...@xerces.apache.org> > Date: 05/22/2018 11:30 AM > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > Hi Michael, > > That’s ok for CVE-2012-0881, though the CPEs (affected software and > versions) should be updated to reflect that the issue was fixed in > 2.12.0. I’m happy to send that request in if you like. > > However, for CVE-2013-4002 and CVE-2018-2799 I’m going to disagree , > as neither of them even mentions Xerces. As is, the only way anyway > would know that those two vulnerabilities were fixed in Xerces is to > read the Xerces release announcement. So, if someone relies on > tools like Dependency Check, Black Duck or White Source (which can > scan jars for known vulnerabilities) there’d be no issue flagged for > Xerces 2.11.0 or earlier. That’s bad. I don’t think updating the > CPEs for either of those vulnerabilities is really an option and IBM > and Oracle issued them and the descriptions are specific to their > products. I think new CVEs are needed for these issues. > > Fixing vulnerabilities is obviously important, but making it easy > for people to know those vulnerabilities have been fixed is also important. > > > Regards, > > David > > > From: Michael Glavassevich [mailto:mrgla...@ca.ibm.com] > Sent: Tuesday, May 22, 2018 9:52 AM > To: j-users@xerces.apache.org > Cc: j-...@xerces.apache.org; muk...@apache.org; priv...@xerces.apache.org > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release > > I thought the CVE was mentioned in the release announcement. > > The security team did eventually respond to us and said we shouldn't > need a new CVE since it's the same source code that's affected. > > Thanks. > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org