I don't know if and when there will be a xalan release. Just to correct what you said about OpenJDK - it does not use xalan - it has its own code that was copied from xalan many years ago and is now maintained independently. xmlsec has an optional dependency on xalan and most features of xmlsec work without using xalan. This is described at https://santuario.apache.org/java150releasenotes.html
On 2022/08/26 09:01:56 Venkata Swamy Karukuri wrote: > Dear XALAN java project dev community, > > This is Venky from Broadcom Software Group writing about the recent > vulnerability <https://nvd.nist.gov/vuln/detail/CVE-2022-34169> reported > that might execute arbitrary Java bytecode while processing malicious XSLT > stylesheets. > > I understand that this project is dormant and being retired. Many projects, > including OpenJDK, and XMLSec, uses XALAN binary. > > Do you anticipate providing a fix for this vulnerable binary? > Or* if we provide the fix and test it, would you endorse it and make it > available on the project website?* > > Kindly advise. > > -Venky Karukuri > > -- > This electronic communication and the information and any files transmitted > with it, or attached to it, are confidential and are intended solely for > the use of the individual or entity to whom it is addressed and may contain > information that is confidential, legally privileged, protected by privacy > laws, or otherwise restricted from disclosure to anyone else. If you are > not the intended recipient or the person responsible for delivering the > e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it. > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
