The next version of Xerces-J will include a parser feature that will turn off DOCTYPE processing. When activated, this feature will prevent the entity expansion that causes this vulnerability. The Axis team will be able to use this feature to close the hole.
The URI for the parser feature will be "http://apache.org/xml/features/disallow-doctype-decl"; Ted ----- Original Message ----- From: "Ben Laurie" <[EMAIL PROTECTED]> To: "Ted Leung" <[EMAIL PROTECTED]> Sent: Wednesday, November 27, 2002 3:37 AM Subject: [Fwd: Security Alert - Xerces] > Here ya go. Please keep security@ copied on any followups... > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff >
