> Since, we earlier on this list (about two months ago) Was the CVE-2022-34169 known by that time? I expect you did not anticipate the CVE back then when you agreed on 1.8, so that is the reason I suggest considering something below 1.8 for the next release. 1.7 is fine.
> I think, fixing the CVE that you're referring to, is to support Apache JMeter Well, releasing Xalan with the fix would ease JMeter maintenance, and it would help many more people who use xalan.jar. I do not suggest maintaining Xalan indefinitely, however, it would be nice to fix the known CVE. Vladimir --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
