FYI to committers not on the PMC list, After a discussion, there was a consensus vote to respond to a concern raised by the Apache security team by publically disclosing and documenting a vulnerability in Xerces-C that was reported last year and has remained unfixed to a lack of resources willing/able to work on a fix, to this point at least.
The PMC agreed, so I volunteered to get it documented in the advisories section of the web site this week and will try and get that done today. -- Scott
