Jeff, Jeffrey Sinclair <j...@cooljeff.co.uk> wrote on 08/11/2009 03:38:23 PM:
> Michael, > > I followed up with the cert.fi group, who posted the vulnerability, to > clarify the impact they mentioned in the Java implementations. As you > pointed out, the DOS issue with Xerces-C is different. On the Java side > they were specifically refering to bad characters in the DTD which can > result in an infinite loop. This appears to have been patched recently > in Xerces-J [1]. I also received a mail outside of the group > re-iterating what cert.fi told me (thanks to Steve Jones). > > Could you confirm that the check-in to the XMLScanner [1] was intended > to fix this vulnerability? Also are there any plans for a 2.9.2 to be > released to resolve this? It likely fixes the same issue. The next release is 2.10.0. It's been in the queue for awhile and would like to see it come out some time before the end of the year. Users of earlier releases should be able to work around it by enabling (if appropriate for their application) the " disallow-doctype-decl" feature I mentioned. Thanks. Michael Glavassevich XML Parser Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org
