Hi all, Is there any progress in releasing a (final?) version of Xalan-J? Or is there a non-official fork or a patch we can apply to fix CVE-2022-34169? Dennis
On 2022/07/25 10:38:47 Vladimir Sitnikov wrote: > > Since, we earlier on this list (about two months ago) > > Was the CVE-2022-34169 known by that time? > I expect you did not anticipate the CVE back then when you agreed on 1.8, so that is the reason I suggest considering something below 1.8 for the next release. 1.7 is fine. > > > I think, fixing the CVE that you're referring to, is to support Apache JMeter > > Well, releasing Xalan with the fix would ease JMeter maintenance, and it would help > many more people who use xalan.jar. > I do not suggest maintaining Xalan indefinitely, however, it would be nice to fix the known CVE. > > Vladimir > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org > For additional commands, e-mail: dev-h...@xalan.apache.org > >
