This is an automated email from the ASF dual-hosted git repository.
elharo pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/xerces-j.git
The following commit(s) were added to refs/heads/main by this push:
new c41d49b36 Add explicit statement around CVE-2017-7503 (#9)
c41d49b36 is described below
commit c41d49b360d27df220da4de1da1864098fc64e6e
Author: Arnout Engelen <[email protected]>
AuthorDate: Fri Jun 20 21:15:15 2025 +0200
Add explicit statement around CVE-2017-7503 (#9)
---
docs/security.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/docs/security.xml b/docs/security.xml
index deb967090..020c482d1 100644
--- a/docs/security.xml
+++ b/docs/security.xml
@@ -31,5 +31,14 @@ If you think you have found a security issue in Apache
Xerces, please follow the
Results from source code security analyzers are not accepted without
additional analysis showing that the problem indeed violates the project's
security model, as such tools commonly produce many false positives.
</p>
+</s2>
+<s2 title="CVE-2017-7503">
+<p>
+In 2017, Red Hat published <jump
href="https://www.cve.org/CVERecord?id=CVE-2017-7503";>CVE-2017-7503</jump>.
+Note that they do not mark Xerces as affected, only their own 'JBoss
Enterprise Application Platform'.
+Sadly, the exact specifics of the issue appear to have been lost to time.
+It looks like it's simply describing that options for features like loading
external entities and DTDs are enabled by default, which we (as documented
above) consider expected and well-known behavior.
+Possibly JBoss did not correctly take this into account at the time.
+</p>
</s2>
</s1>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
