I am replying to this thread for record-keeping purposes to say that this issue has been fixed in version 2.7.3.
Gary On 2022/07/19 17:37:46 "Mark J. Cox" wrote: > Description: > > The Apache Xalan Java XSLT library is vulnerable to an integer truncation > issue when processing malicious XSLT stylesheets. This can be used to corrupt > Java class files generated by the internal XSLTC compiler and execute > arbitrary Java bytecode. > > The Apache Xalan Java project is dormant and in the process of being retired. > No future releases of Apache Xalan Java to address this issue are expected. > > Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. > > Credit: > > Reported by Felix Wilhelm, Google Project Zero > > References: > > https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org > For additional commands, e-mail: dev-h...@xalan.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
