The Xerces project has released V3.2.5 of the C++ parser library, a patch release containing a fix for the CVE from 2018.
It's on the main download site now and should be on the mirrors shortly. The advisory has been updated accordingly [1]. (And I realized I need to re-sign that, so I'll fix it on the site today.) -- Scott [1] https://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt
