Hi all, I'm trying to backport a fix for older versions of XercesJ in OpenSUSE.
I've been trying to figure out what commits are the ones that fix CVE-2022-23437 by going through the commit history between 2.12.1 and 2.12.2, as it was fixed in the later version:
On 28/01/2022 11:1, Mukul Gandhi wrote:
[ https://issues.apache.org/jira/browse/XERCESJ-1737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mukul Gandhi resolved XERCESJ-1737. ----------------------------------- Fix Version/s: 2.12.2 Resolution: Fixed This issue, was fixed within XercesJ 2.12.2.
1) Can someone confirm (maybe Mukul Gandhi) the following commits are the ones that fix that issue?
* https://svn.apache.org/viewvc?view=revision&revision=1897159 * https://svn.apache.org/viewvc?view=revision&revision=1897141 2) Are there other commits involved in the fix?3) Also, does a reproducer for the CVE exist? I tried to find one but I didn't find any so far.
Cheers, David. -- David Anes <david.a...@suse.com>
OpenPGP_signature
Description: OpenPGP digital signature