Yes, but need help from volunteers with more time to prepare a Xerces release.
And should probably also have an xml-commons release (to include in Xerces) that contains this: http://svn.apache.org/viewvc?view=revision&revision=1357443 Similar hash collision fix as the ones implemented in Xerces. Thanks. Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org Gary Gregory <ggreg...@rocketsoftware.com> wrote on 11/05/2015 12:43:23 PM: > Any thoughts on pushing out a release to pick up the one fix? (And > whatever else is in trunk since 2.11) > Gary > > > On Thu, Nov 5, 2015 at 9:14 AM -0800, "Michael Glavassevich" < > mrgla...@ca.ibm.com> wrote: > Peter Major <peter.ma...@forgerock.com> wrote on 11/05/2015 02:24:58 AM: > > > How about these then? > > https://bugzilla.redhat.com/show_bug.cgi?id=1273638 > > Xerces doesn't support that property. > > > https://bugzilla.redhat.com/show_bug.cgi?id=1273645 > > Xerces doesn't have a StAX XML parser. > > > https://bugzilla.redhat.com/show_bug.cgi?id=1273637 > > The portion of the hashing collision issue that applies to Xerces is fixed > on the trunk (in other words, after Xerces 2.11.0). See: > http://svn.apache.org/viewvc?view=revision&revision=1357381. > > The rest of the hashing issue is in the Java platform itself. See > http://openjdk.java.net/jeps/180. > > > 2015. 11. 04. 16:38 keltezéssel, Michael Glavassevich írta: > > > As they did not disclose any details in these reports, only Oracle > would > > > know. > > > > > > Thanks. > > > > > > Michael Glavassevich > > > XML Technologies and WAS Development > > > IBM Toronto Lab > > > E-mail: mrgla...@ca.ibm.com > > > E-mail: mrgla...@apache.org > > > > > > Peter Major <peter.ma...@forgerock.com> wrote on 11/04/2015 03:36:26 > AM: > > > > > >> Hi, > > >> > > >> it appears that Oracle has fixed some XML parsing related security > > >> vulnerabilities: > > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803 > > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893 > > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911 > > >> > > >> Is it possible that these also affect Xerces 2.11.0? > > >> > > >> Regards, > > >> Peter > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > > For additional commands, e-mail: j-users-h...@xerces.apache.org > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org > ================================ > Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham > MA 02451 ■ +1 800.966.3270 ■ +1 781.577.4321 > Unsubscribe From Commercial Email �C unsubscr...@rocketsoftware.com > Manage Your Subscription Preferences - http:// > info.rocketsoftware.com/ > GlobalSubscriptionManagementEmailFooter_SubscriptionCenter.html > Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy > ================================ > > This communication and any attachments may contain confidential > information of Rocket Software, Inc. All unauthorized use, > disclosure or distribution is prohibited. If you are not the > intended recipient, please notify Rocket Software immediately and > destroy all copies of this communication. Thank you.
