I use the Static Xerces libraries (I build the VC14 XercesLib project only - Static Debug & Static Release configurations), do I: 1. Add the XERCES_ DISABLE_DTD=1 as a pre-processor variable to the XercesLib builds, or 2. Add it as a pre-processor variable to my project that includes these libraries, or 3. Have it defined when running the application that includes the static library?
I must admit that if the answer is "3", it won't be possible as I can't force the many users of our Open Source Windows application to set environmental variables. In this case, I would prefer it to be a XercesLib project pre-processor variable so that the static libraries that are generated are protected in that application without any user intervention. Many thanks. -----Original Message----- From: Cantor, Scott [mailto:canto...@osu.edu] Sent: 29 June 2016 15:44 To: c-users@xerces.apache.org; c-...@xerces.apache.org Subject: Xerces-C 3.1.4 released A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463. https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&versi on=12336069 Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change. -- Scott
