On 2016-06-29 14:44, Cantor, Scott wrote:
A patch release of the Xerces-C XML parser is now available and is
propagating to the mirrors. It includes a small number of important
bug fixes, including a fix for CVE-2016-4463.
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
Of special note, applications that don't make use of DTDs should
strongly consider setting the XERCES_ DISABLE_DTD environment variable
to "1" to insulate themselves from the likelihood of future
vulnerabilities in that code. When I have a free moment I will make
that a parser feature in the trunk since it requires an ABI change.
FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
Would it be possible to add them?
Thanks,
Roger
