Excellent! Gary, thanks for driving this. Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: [email protected] E-mail: [email protected]
Gary Gregory <[email protected]> wrote on 04/22/2014 04:26:07 PM: > The VOTE to release Xalan 2.7.2-RC1 as 2.7.2 passes with the following votes: > > Binding +1 votes: > > Gary Gregory (ggregory) > Gareth Reakes (gareth) > Steven J. Hathaway (shathaway) > Michael Glavassevich (mrglavas) > > Non-Binding +1 votes: > > [email protected] > Per Arnold BlÄsmo ([email protected]) > > Vote thread: https://www.mail-archive.com/[email protected]/msg00554.html > Xalan PMC: https://people.apache.org/committers-by-project.html#xalan-pmc > Thank you all for your patience, > Gary Gregory > PS: Now for the tricky part of releasing when it has not been done > in a long time... > > On Wed, Mar 26, 2014 at 2:59 PM, Gary Gregory <[email protected]> wrote: > Hello All: > > This is a VOTE to release Apache Xalan-J 2.7.2-RC1 as 2.7.2 > > This is a bug fix release. As before, Xalan-J requires a minimum of Java 1.3. > > The Apache Xalan-J team is pleased to announce the Apache Xalan-J 2. > 7.2 release! > > Xalan-Java fully implements XSL Transformations (XSLT) Version 1.0 > and the XML Path Language (XPath) Version 1.0. > > Changes in this version include: > > Fixed Bugs: > > - Fix for CVE-2014-0107 insufficient secure processing > > When using FEATURE_SECURE_PROCESSING ("http:// > javax.xml.XMLConstants/feature/secure-processing") on a > TransformerFactory, the output properties: > > {http://xml.apache.org/xalan}content-handler > {http://xml.apache.org/xalan}entities > {http://xml.apache.org/xslt}content-handler > {http://xml.apache.org/xslt}entities > > should be ignored (see http://xml.apache.org/xalan-j/ > usagepatterns.html#outputprops) > > These properties can be used to load an arbitrary class or access an > arbitrary URL/resource so are problematic when secure processing is desired. > > <xsl:output xalan:content-handler="org.example.BadClass" ... > > <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin"; ... > > These features could be used to load a class that had undesirable > side-effects or to load a large file and exhaust memory, etc. > > See XALANJ-2435. > > - Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01 > > The distributions contain upgraded versions of xercesImpl.jar > (Xerces-J 2.11.0) and xml-apis.jar (XML Commons External 1.4.01). > > > - XALANJ Jira bug fixes > > XALANJ Jira bug fixes: 2435, 2580, 2546, 2581, 2582, 2583, 2473, > 2495, 2493, 2424, 2446, 2447 > > You can also view the list in Jira: https://issues.apache.org/jira/ > browse/XALANJ-2424?jql=project%20%3D%20XALANJ%20AND%20fixVersion%20% > 3D%202.7.2%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20created%20ASC > > This VOTE is open for at least 72 hours until March 29 2014 at 15:00 PM EST. > > The files: > > https://people.apache.org/~ggregory/xalan/2.7.1-rc1/dist/ > > The tags: > > https://svn.apache.org/repos/asf/xalan/java/tags/xalan-j_2_7_2-rc1 > https://svn.apache.org/repos/asf/xalan/test/tags/xalan-j_2_7_2-rc1 > > The docs: > > https://people.apache.org/~ggregory/xalan/2.7.1-rc1/site/ > > Thank you, > Gary Gregory > > -- > E-Mail: [email protected] | [email protected] > Java Persistence with Hibernate, Second Edition > JUnit in Action, Second Edition > Spring Batch in Action > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory > > > > -- > E-Mail: [email protected] | [email protected] > Java Persistence with Hibernate, Second Edition > JUnit in Action, Second Edition > Spring Batch in Action > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
