On 3/4/15, 4:56 PM, "Michael Glavassevich" <mrgla...@ca.ibm.com> wrote:
> >There has been some work done on the trunk [1] to make it easier for >users >to protect themselves but it isn't likely to change any defaults. Users >need to configure XML parsers appropriately for their scenario and there >are plenty of ways they can do that if they're concerned about XXE. Maybe we were mistaken, but my team's analysis of CVE-2013-4002 that addressed an issue in the JDK, and the fix here that was applied to trunk but never released, suggested to me that there's no way to configure any released version of Xerces safely unless the input document size is limited. This isn't an XXE issue per se, but it seemed relevant to ask since this response seems to reinforce the position that no release can be expected. -- Scott --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
