On 1/5/26 14:18, Martin Desruisseaux wrote:
Users are recommended to upgrade to version 1.6, which will fix the issue. In
the meantime, the security vulnerability can be avoided by launching Java with
the javax.xml.accessExternalDTD system property sets to a comma-separated list
of authorized protocols. For example:
java -Djavax.xml.accessExternalDTD="" ...
The related commit seems to be
https://github.com/apache/sis/commit/5bfa162bd56edb7d41d56a0c926592964d31d83b
?
It would rock if Oracle would finally fix 3+ XML parser defaults
from vulnerable for years to secure for everyone using Java.
