Hi all,

I'm trying to backport a fix for older versions of XercesJ in OpenSUSE.

I've been trying to figure out what commits are the ones that fix CVE-2022-23437 by going through the commit history between 2.12.1 and 2.12.2, as it was fixed in the later version:

On 28/01/2022 11:1, Mukul Gandhi wrote:
[ 
https://issues.apache.org/jira/browse/XERCESJ-1737?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mukul Gandhi resolved XERCESJ-1737.
-----------------------------------
    Fix Version/s: 2.12.2
       Resolution: Fixed

This issue, was fixed within XercesJ 2.12.2.

1) Can someone confirm (maybe Mukul Gandhi) the following commits are the ones that fix that issue?
  * https://svn.apache.org/viewvc?view=revision&revision=1897159
  * https://svn.apache.org/viewvc?view=revision&revision=1897141

2) Are there other commits involved in the fix?

3) Also, does a reproducer for the CVE exist? I tried to find one but I didn't find any so far.

Cheers,
David.

--
David Anes <david.a...@suse.com>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to