Thanks Michael. I'm going to see if I can provide feedback to cert.fi. Their original vulnerability report suggests that it is a Java problem too. Not only have they listed 'all' versions of Xerces but they have also listed the JAXP impl bundled in the JDK (which I know is no longer Xerces).
Jeff On Mon, 2009-08-10 at 18:06 -0400, Michael Glavassevich wrote: > Hi Jeff, > > The specific problem reported to Apache only applied to Apache Xerces > C++. Xerces-J does not have the bug that was fixed in the C++ impl. > > As a side note, for applications which do not want to trust documents > containing DTDs there's been a feature [1] available in Xerces-J for > years which will block them. There's also the JAXP secure processing > feature [2] which folks should also be enabling if they're concerned > about DoS attacks. > > Thanks. > > [1] > http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl > [2] > http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING > > Michael Glavassevich > XML Parser Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > Jeffrey Sinclair <j...@cooljeff.co.uk> wrote on 08/10/2009 05:18:53 > PM: > > > j-users, > > > > There was a vulnerability report relating to a denial of service > attack > > with Xerces recently [1]. The vulnerability report does not appear > to go > > into much detail, however the link [2] to the C++ impl of Xerces > would > > suggest it relates to nested DTD structures (I assume infinite > > recursion). > > > > The report lists all versions of Apache Xerces as being impacted. > Would > > someone be able to confirm if there is an issue with Xerces for Java > and > > if so what the actual issue is? > > > > Thanks in advance for any help. > > > > Regards, > > > > Jeff > > > > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html > > [2] http://svn.apache.org/viewvc?view=rev&revision=781488 > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > > For additional commands, e-mail: j-users-h...@xerces.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
