Hi Emmanuel, On Sun, Apr 19, 2020 at 02:36:14AM +0200, Emmanuel Bourg wrote: > Le 17/04/2020 à 23:10, Salvatore Bonaccorso a écrit : > > > The following vulnerability was published for dom4j. > > > > CVE-2020-10683[0]: > > XML External Entity vulnerability in default SAX parser > > > > [2] https://github.com/dom4j/dom4j/commit/a822852 (Patch) > > The upstream patch doesn't fix anything, the constructor of SAXReader > still allows external entities by default, but the documentation now > suggests to disable them.
I must have missread idea then, thinking it is switching to safer default. For the initial triage I followed on https://bugzilla.redhat.com/show_bug.cgi?id=1694235 and https://bugzilla.suse.com/show_bug.cgi?id=1169760 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
