[
https://issues.apache.org/jira/browse/DRILL-8262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568862#comment-17568862
]
James Turton commented on DRILL-8262:
-------------------------------------
[~pj.fanning] (and all committers) please remember to return to the Jira issue
to close it once your PR is merged. This Jira also needs _Affects Version_ set
to 1.20.1 and _Fix Version_ to 1.20.2 (since this fix will be backported,
otherwise _Fix Version_ would be 2.0.0). The version numbers are used for later
reporting, e.g. when we generate release notes from Jira. Thank you!
> Xalan is EOL and has a never to be fixed CVE
> --------------------------------------------
>
> Key: DRILL-8262
> URL: https://issues.apache.org/jira/browse/DRILL-8262
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Xalan is no longer supported.
> https://lists.apache.org/thread/s8kjny5270ssfcp46v0fl39lk98987w7
> It is better to use JAXP TransformerFactory than using xalan directly. If you
> add xalan dependency just to ensure that you have a JAXP compliant
> transformer on the classpath, this is unnecessary - the Java runtime has a
> built-in implementation.
> Drill dependency:
> https://mvnrepository.com/artifact/org.apache.drill.exec/drill-java-exec/1.20.0
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
