Hi Jeff, The specific problem reported to Apache only applied to Apache Xerces C++. Xerces-J does not have the bug that was fixed in the C++ impl.
As a side note, for applications which do not want to trust documents containing DTDs there's been a feature [1] available in Xerces-J for years which will block them. There's also the JAXP secure processing feature [2] which folks should also be enabling if they're concerned about DoS attacks. Thanks. [1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl [2] http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING Michael Glavassevich XML Parser Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org Jeffrey Sinclair <j...@cooljeff.co.uk> wrote on 08/10/2009 05:18:53 PM: > j-users, > > There was a vulnerability report relating to a denial of service attack > with Xerces recently [1]. The vulnerability report does not appear to go > into much detail, however the link [2] to the C++ impl of Xerces would > suggest it relates to nested DTD structures (I assume infinite > recursion). > > The report lists all versions of Apache Xerces as being impacted. Would > someone be able to confirm if there is an issue with Xerces for Java and > if so what the actual issue is? > > Thanks in advance for any help. > > Regards, > > Jeff > > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html > [2] http://svn.apache.org/viewvc?view=rev&revision=781488 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org
