XALANJ-2792 represents the existing CVE-2019-2981 vulnerability identified on Xalan_2.7.3 I have seen no code added to git to remedy this CVE. If there was, please point me to a branch and I’ll review. A patch was submitted to XALANJ-2792
XALANJ-2793 represents the existing CVE-2019-2973 vulnerability identified on Xalan_2.7.3 I have seen no code added to git to remedy this CVE. If there was, please point me to a branch and I’ll review. A patch was submitted to XALANJ-2793 XALANJ-2591 fails with Xalan_2.7.2 and 2.7.3; it worked in 2.7.1 I have seen no code added to git to remedy this CVE. If there was, please point me to a branch and I’ll review. Xalan ServiceMix for 2.7.3_* and 2.7.2_* incorporates the patch from XALANJ-2591, and the issue no longer presents. -Josh From: Gary Gregory <[email protected]> Sent: Monday, May 12, 2025 9:37 AM To: [email protected] Subject: Re: Xalan-J XSLT 3.0 release? ⚠ EXTERNAL MESSAGE – Think Before You Click Hi Josh, Have you tested the code in git for the changes you mentioned? Or, are looking for changes to the code that are not there? Ty, Gary On Mon, May 12, 2025, 09:12 Marquart, Joshua (Coral Springs) <[email protected]<mailto:[email protected]>> wrote: It would be nice to see 2.7.4 release with 1 - the vulnerabilities fixed: CVE-2019-2981 ( XALANJ-2792 ), CVE-2019-2973 ( XALANJ-2793 ) 2 - the fix for attributes that was not actually released ( XALANJ-2591, fixed in Apache ServiceMix Xalan ) I've been forced to move on to another library. -Josh -----Original Message----- From: Gary Gregory <[email protected]<mailto:[email protected]>> Sent: Monday, May 12, 2025 7:22 AM To: [email protected]<mailto:[email protected]> Subject: Re: Xalan-J XSLT 3.0 release? ⚠ EXTERNAL MESSAGE – Think Before You Click I should say that I'm interested in pushing a 2.7.x maintenance release to gather up whatever has changed since the previous release and possibly fixing whatever low-hanging fruit we want. This might turn into a 2.8.0 release depending on what's changed. Gary On Mon, May 12, 2025 at 7:20 AM Gary Gregory <[email protected]<mailto:[email protected]>> wrote: > > Hi All, > > We can have a release anytime we want IMO; it's just a matter of using > the best label: alpha-1, beta-1, or m1 (m for milestone). > > Gary > > On Wed, May 7, 2025 at 12:40 PM Mukul Gandhi > <[email protected]<mailto:[email protected]>> wrote: > > > > Hi all, > > I'm wondering whether, we can have a Xalan-J XSLT 3.0 > > implementation's beta release around these days? Or, is it still > > early or too early? > > > > -- > > Regards, > > Mukul Gandhi > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: > > [email protected]<mailto:[email protected]> > > For > > additional commands, e-mail: > > [email protected]<mailto:[email protected]> > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]>
