To answer your questions, 1) Yes, those two commits contain the fix. 2) There are no other commits for the fix. 3) That's not generally available. Hopefully the reason for that would be obvious.
Thanks. Michael Glavassevich Software Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org -----Original Message----- From: David Anes <david.a...@suse.com.INVALID> Sent: February 11, 2022 10:01 AM To: j-dev@xerces.apache.org Subject: [EXTERNAL] Help to fix CVE-2022-23437 on older versions of XercesJ <= 2.12.1 Hi all, I'm trying to backport a fix for older versions of XercesJ in OpenSUSE. I've been trying to figure out what commits are the ones that fix CVE-2022-23437 by going through the commit history between 2.12.1 and 2.12.2, as it was fixed in the later version: On 28/01/2022 11:1, Mukul Gandhi wrote: > [ > https://issues.apache.org/jira/browse/XERCESJ-1737?page=com.atlassian. > jira.plugin.system.issuetabpanels:all-tabpanel ] > > Mukul Gandhi resolved XERCESJ-1737. > ----------------------------------- > Fix Version/s: 2.12.2 > Resolution: Fixed > > This issue, was fixed within XercesJ 2.12.2. 1) Can someone confirm (maybe Mukul Gandhi) the following commits are the ones that fix that issue? * https://svn.apache.org/viewvc?view=revision&revision=1897159 * https://svn.apache.org/viewvc?view=revision&revision=1897141 2) Are there other commits involved in the fix? 3) Also, does a reproducer for the CVE exist? I tried to find one but I didn't find any so far. Cheers, David. -- David Anes <david.a...@suse.com>
