Le 17/04/2020 à 23:10, Salvatore Bonaccorso a écrit : > The following vulnerability was published for dom4j. > > CVE-2020-10683[0]: > XML External Entity vulnerability in default SAX parser > > [2] https://github.com/dom4j/dom4j/commit/a822852 (Patch)
The upstream patch doesn't fix anything, the constructor of SAXReader still allows external entities by default, but the documentation now suggests to disable them. Emmanuel Bourg __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
