Any more word on patch of xalan-2.7.2 to resolve CVE-2022-34169? I saw some conversation about it a week or so ago but saw no more updates.
My company is in the midst of upgrading many applications but we had not planned on upgrading some very large xslt stylesheets yet being transformed from java. A patch to xalan-2.7.2 would buy us more time to evaluate future products and processors and xslt versions. I tried to remove xalan jar from classpath and use the basic internal jdk version with java 8 or java 11 but found our use of an internal java.util.Hashtable to store and retrieve values stopped working Example (xmlns:myhash="xalan://java.util.Hashtable"). xsl:variable MYHASH to declare one with myhash:new() then myhash:put and myhash:get etc caused no errors but value put in could not be retrieved later with get. Thanks James Allen
