Elliotte Rusty Harold <elh...@ibiblio.org> wrote on 08/11/2009 09:51:56 AM:
> On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey Sinclair<j...@cooljeff.co.uk> wrote: > > Thanks Michael. > > > > I'm going to see if I can provide feedback to cert.fi. Their original > > vulnerability report suggests that it is a Java problem too. Not only > > have they listed 'all' versions of Xerces but they have also listed the > > JAXP impl bundled in the JDK (which I know is no longer Xerces). > > > > Really? Since when. I know it used to be Xerces, and I thought it > still was (modulo Sun patches and repackaging). In what version did > this change? I think Jeff was referring to the amount of forking which Sun has done to Xerces. At this point I believe what they ship is very different than Apache Xerces. I'm not sure how folks got the impression that it's just "patches". I understand that they did significant development and re-architecture to accommodate StAX, work which has never made its way into the Apache codebase. Ditto for what was in Java 5 (for JAXP 1.3), also released by Sun before Xerces ever had those capabilities. > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org Thanks. Michael Glavassevich XML Parser Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org
