On Thursday 19 August 2010 2:20:58 pm Seumas Soltysik wrote: > Is there any jira for the security advisory decribed here: > http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf I am > looking for the patch that was applied to fix this issue. > > I have a branch of the 2.1.x line that does not contain the security fix > and I am looking to patch this branch.
We didn't open a JIRA as it was fixed long before we could make it public. Filing a JIRA would have made it public before we were ready. In anycase, the commit was: r948131 | dkulp | 2010-05-25 13:52:01 -0400 (Tue, 25 May 2010) | 1 line Turn off DTD and Entity expansion stuff in the XMLStreamReaders -- Daniel Kulp dk...@apache.org http://dankulp.com/blog
