Thanks for replying, I can seen that the issue has been fixed in 2.10.0 but still to be launched. https://issues.apache.org/jira/browse/XERCESJ-1412.
Can we compile any of Xerces Java 2.x with file as mention in the link below to resolve the issue. will it works http://svn.apache.org/viewvc?revision=787353&view=revision Any pointer which can confirm whether Xerces Java 1.4.3 is affected or not affected with xml vulnerability. Also if what is the last version that was available with Xerces 1.x and any guess if it was having xml vulnerability issues. With Regards Atul Parti On Mon, Feb 1, 2010 at 9:38 PM, Michael Glavassevich <mrgla...@ca.ibm.com>wrote: > Atul Parti <atulpa...@gmail.com> wrote on 01/29/2010 11:57:22 AM: > > > > Thanks for replying, > > > > But when i visit the site > > https://www.cert.fi/en/reports/2009/vulnerability2009085.html > > > > it shows that Apache Xerces Java, all versions has issued but does > > not specify the which version has recyified. > > > I doubt whomever made this claim actually checked all versions. There are a > lot of them in the field. The defect was in Xerces-J 2.x possibly dating > back to Xerces-J 2.0.0, but the class with the problem didn't exist in > Xerces 1.4.x. The parser (1.x versions) had a completely different > architecture before that and may never have had this issue. > > > > That is the major concern. Currently it seems that all Apache Xerces > > Java has xml Vulnerability issue. > > Whats your call on this. > > > > Regards > > Atul Parti > > Thanks. > > Michael Glavassevich > XML Parser Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org >
