Good question. Xerces has been rather... inactive :-( Gary
On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler < yves.geissbueh...@incentage.com> wrote: > Hi all, > my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency Check > [1] having the vulnerability CVE-2012-0881. > > After some investigation I found that CVE-2012-0881 has been indeed fixed > and is scheduled to be released for Xerces-J 2.12.0 [2]. > > However, no specific release date is given [3]. > > Could you point me to a release schedule or do you know the release date? > > Using libraries which contain vulnerabilities is not an option for my > organisation. So, I'm hoping for a Xerces-J 2.11.0 release happening > soonish. > > Best regards, > Yves > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check > [2] https://issues.apache.org/jira/browse/XERCESJ-1685 > [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542 >
