[
https://issues.apache.org/jira/browse/XERCESJ-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464498#comment-17464498
]
Mukul Gandhi commented on XERCESJ-1722:
---------------------------------------
I guess, using the file serializer.jar from XalanJ 2.7.2 within the next
XercesJ release, can simply fix this issue. I believe, we should do this.
> Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
> -----------------------------------------------------------------------
>
> Key: XERCESJ-1722
> URL: https://issues.apache.org/jira/browse/XERCESJ-1722
> Project: Xerces2-J
> Issue Type: Bug
> Components: Serialization
> Affects Versions: 2.12.1
> Reporter: Olivier Jaquemet
> Priority: Major
>
> The following jars are bundled in the Xerces-J 2.12.1 binary distribution :
> {{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
> resolver.jar}}
> {{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391
> serializer.jar*}}
> {{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
> xml-apis.jar}}
> Extracting information from the MANIFEST :
> * resolver.jar / Implementation-Version: 1.2
> * *serializer.jar / Implementation-Version: 2.7.1*
> * xml-apis.jar / Implementation-Version: 1.4.01
> Problem :
> If it IS the xalan serializer 2.7.1 (which I could not confirmed from the
> hash), this version is vulnerable to CVE-2014-0107 :
> [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
> Xalan 2.7.2 was released in April 2014 and should probably be included to
> prevent uninformed user to rely the whole Xerces-J distribution.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
