Michael, I followed up with the cert.fi group, who posted the vulnerability, to clarify the impact they mentioned in the Java implementations. As you pointed out, the DOS issue with Xerces-C is different. On the Java side they were specifically refering to bad characters in the DTD which can result in an infinite loop. This appears to have been patched recently in Xerces-J [1]. I also received a mail outside of the group re-iterating what cert.fi told me (thanks to Steve Jones).
Could you confirm that the check-in to the XMLScanner [1] was intended to fix this vulnerability? Also are there any plans for a 2.9.2 to be released to resolve this? Elliotte, As Michael pointed out, my comment around the JDK JAXP impl not being Xerces was because it is kind of forked. Personally I don't recommend that the JAXP impl bundled in the JDK be used in our enterprise environment for two main reasons. Firstly, in the past, it has lagged behind the current Xerces-J version which results in bug fixes taking time to be 'back ported'. Secondly, there have been discrepancies in behaviour in the past which makes it very hard to switch JVM vendors with the expectation that the JAXP stack will work as expected. Having said this, this specific vulnerability looks to have been fixed as of Sun Java 1.6.0_15 and Sun 1.5.0_20 [2]. [1] http://marc.info/?l=xerces-cvs&m=124569778024398&w=2 [2] http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1 Regards, Jeff On Tue, 2009-08-11 at 12:13 -0400, Michael Glavassevich wrote: > Elliotte Rusty Harold <elh...@ibiblio.org> wrote on 08/11/2009 > 09:51:56 AM: > > > On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey > Sinclair<j...@cooljeff.co.uk> wrote: > > > Thanks Michael. > > > > > > I'm going to see if I can provide feedback to cert.fi. Their > original > > > vulnerability report suggests that it is a Java problem too. Not > only > > > have they listed 'all' versions of Xerces but they have also > listed the > > > JAXP impl bundled in the JDK (which I know is no longer Xerces). > > > > > > > Really? Since when. I know it used to be Xerces, and I thought it > > still was (modulo Sun patches and repackaging). In what version did > > this change? > > I think Jeff was referring to the amount of forking which Sun has done > to Xerces. At this point I believe what they ship is very different > than Apache Xerces. I'm not sure how folks got the impression that > it's just "patches". I understand that they did significant > development and re-architecture to accommodate StAX, work which has > never made its way into the Apache codebase. Ditto for what was in > Java 5 (for JAXP 1.3), also released by Sun before Xerces ever had > those capabilities. > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > > For additional commands, e-mail: j-users-h...@xerces.apache.org > > Thanks. > > Michael Glavassevich > XML Parser Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
