https://bz.apache.org/bugzilla/show_bug.cgi?id=66171
--- Comment #12 from Vladimir Sitnikov <sitnikov.vladi...@gmail.com> --- > Noone benefits from keeping a project alive when there are not enough > maintainers The CVE is trivial to fix, and it would help A LOT of users who depend on xalan today. They will be able to drop-replace xalan.jar with a newer version and it would resolve the CVE. I agree migrating to modern alternatives makes sense, however, the migration requires testing which is hard to do for legacy projects. I did try building xalan-j, and it worked for me, so I think fixing CVE and releasing one more xalan version is viable: https://lists.apache.org/thread/9jdjkhjk3mxjzzfd098bn0mxqyyovg2b -- You are receiving this mail because: You are the assignee for the bug.
