Hi, and sorry if breaking in at wrong moment with wrong topic.
And it is great to see life is coming back here to XALAN-J too :)
Not sure it might be a good idea to interrupt the process of the new
release being issued, but I would like to draw the committers' attention
to the XALANJ-2544 <https://issues.apache.org/jira/browse/XALANJ-2544>
issue. This issue is about entity resolving being not available for XSLT
(transform template) file, while being normally available for source XML
file. A patch is available, so it would be great to have this patch
reviewed and merged if possible, be it with this release or with the the
next one...
And I am always here to provide comments and feedback if necessary...
Regards,
Sergey Ushakov
On 26.03.14 22:59, Gary Gregory wrote:
Hello All:
This is a VOTE to release Apache Xalan-J 2.7.2-RC1 as 2.7.2
This is a bug fix release. As before, Xalan-J requires a minimum of
Java 1.3.
The Apache Xalan-J team is pleased to announce the Apache Xalan-J
2.7.2 release!
Xalan-Java fully implements XSL Transformations (XSLT) Version 1.0 and
the XML Path Language (XPath) Version 1.0.
Changes in this version include:
Fixed Bugs:
- Fix for CVE-2014-0107 insufficient secure processing
When using FEATURE_SECURE_PROCESSING
("http://javax.xml.XMLConstants/feature/secure-processing";) on a
TransformerFactory, the output properties:
{http://xml.apache.org/xalan}content-handler
<http://xml.apache.org/xalan%7Dcontent-handler>
{http://xml.apache.org/xalan}entities
<http://xml.apache.org/xalan%7Dentities>
{http://xml.apache.org/xslt}content-handler
<http://xml.apache.org/xslt%7Dcontent-handler>
{http://xml.apache.org/xslt}entities
<http://xml.apache.org/xslt%7Dentities>
should be ignored (see
http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
These properties can be used to load an arbitrary class or access an
arbitrary URL/resource so are problematic when secure processing is
desired.
<xsl:output xalan:content-handler="org.example.BadClass" ...
<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin"; ...
These features could be used to load a class that had undesirable
side-effects or to load a large file and exhaust memory, etc.
See XALANJ-2435.
- Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01
The distributions contain upgraded versions of xercesImpl.jar
(Xerces-J 2.11.0) and xml-apis.jar (XML Commons External 1.4.01).
- XALANJ Jira bug fixes
XALANJ Jira bug fixes: 2435, 2580, 2546, 2581, 2582, 2583, 2473, 2495,
2493, 2424, 2446, 2447
You can also view the list in Jira:
https://issues.apache.org/jira/browse/XALANJ-2424?jql=project%20%3D%20XALANJ%20AND%20fixVersion%20%3D%202.7.2%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20created%20ASC
This VOTE is open for at least 72 hours until March 29 2014 at 15:00
PM EST.
The files:
https://people.apache.org/~ggregory/xalan/2.7.1-rc1/dist/
<https://people.apache.org/%7Eggregory/xalan/2.7.1-rc1/dist/>
The tags:
https://svn.apache.org/repos/asf/xalan/java/tags/xalan-j_2_7_2-rc1
https://svn.apache.org/repos/asf/xalan/test/tags/xalan-j_2_7_2-rc1
The docs:
https://people.apache.org/~ggregory/xalan/2.7.1-rc1/site/
<https://people.apache.org/%7Eggregory/xalan/2.7.1-rc1/site/>
Thank you,
Gary Gregory
--
E-Mail: [email protected] <mailto:[email protected]> |
[email protected] <mailto:[email protected]>
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
<http://garygregory.wordpress.com/>
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
