Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
i guess orbit can also decide to drop old stuff. do you know how milestones are built? i still miss orbit m2 Am 31.01.22 um 15:12 schrieb Pierre-Charles David: Le 27/01/2022 à 17:17, Pierre-Charles David a écrit : Le 27/01/2022 à 01:25, Nitin Dahyabhai a écrit : Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central. According to https://issues.apache.org/jira/browse/XERCESJ-1735 it is now available at https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/ I've proposed a patch to make the update in Orbit: https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077 The patch has been merged. A Orbit I-build with Xerces 2.12.2 (instead of 2.12.1) is available at https://download.eclipse.org/tools/orbit/downloads/drops/I20220131095416/repository/. Note that because of the way Orbit repos are built, this also includes the much older Xerces 2.9, which from the CVE is also affected by the vulnerability and should be avoided. On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai wrote: Wayne, I'll take it on. On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton wrote: From CVE-2022-23437: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and /the previous versions/. More here: * https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 This particular version is in Orbit and in the Simultaneous Release. It appears that version 2.9 is also in the simultaneous release. According to the alert all versions are affected. According to the CQ record, several projects on the simultaneous release are using affected versions. If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look. It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers? Wayne -- Wayne Beaton Director of Open Source Projects | Eclipse Foundation ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Regards, Nitin Dahyabhai Eclipse WTP PMC -- Regards, Nitin Dahyabhai Eclipse WTP PMC ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Pierre-Charles David (Obeo) ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald Goertz, Eric Swehla Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 Lünen (Germany) Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
Le 27/01/2022 à 17:17, Pierre-Charles David a écrit : Le 27/01/2022 à 01:25, Nitin Dahyabhai a écrit : Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central. According to https://issues.apache.org/jira/browse/XERCESJ-1735 it is now available at https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/ I've proposed a patch to make the update in Orbit: https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077 The patch has been merged. A Orbit I-build with Xerces 2.12.2 (instead of 2.12.1) is available at https://download.eclipse.org/tools/orbit/downloads/drops/I20220131095416/repository/. Note that because of the way Orbit repos are built, this also includes the much older Xerces 2.9, which from the CVE is also affected by the vulnerability and should be avoided. On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai wrote: Wayne, I'll take it on. On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton wrote: From CVE-2022-23437: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and /the previous versions/. More here: * https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 This particular version is in Orbit and in the Simultaneous Release. It appears that version 2.9 is also in the simultaneous release. According to the alert all versions are affected. According to the CQ record, several projects on the simultaneous release are using affected versions. If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look. It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers? Wayne -- Wayne Beaton Director of Open Source Projects | Eclipse Foundation ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Regards, Nitin Dahyabhai Eclipse WTP PMC -- Regards, Nitin Dahyabhai Eclipse WTP PMC ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Pierre-Charles David (Obeo) -- Pierre-Charles David (Obeo) ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
Le 27/01/2022 à 01:25, Nitin Dahyabhai a écrit : Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central. According to https://issues.apache.org/jira/browse/XERCESJ-1735 it is now available at https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/ I've proposed a patch to make the update in Orbit: https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077 On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai wrote: Wayne, I'll take it on. On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton wrote: From CVE-2022-23437: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and /the previous versions/. More here: * https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 This particular version is in Orbit and in the Simultaneous Release. It appears that version 2.9 is also in the simultaneous release. According to the alert all versions are affected. According to the CQ record, several projects on the simultaneous release are using affected versions. If anybody from EclipseLink is monitoring this channel, you have a CQ for this library, but I haven't found it in your builds yet. You should probably also have a look. It seems that the reasonable mitigation strategy is to update to 2.12.2, but we'll need somebody to take the lead on that. Any volunteers? Wayne -- Wayne Beaton Director of Open Source Projects | Eclipse Foundation ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Regards, Nitin Dahyabhai Eclipse WTP PMC -- Regards, Nitin Dahyabhai Eclipse WTP PMC ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev -- Pierre-Charles David (Obeo) ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
Of course, only now do I remember how much effort Aurélien had to go through just to get the then-current version onto Maven Central. On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai wrote: > Wayne, > I'll take it on. > > On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton < > wayne.bea...@eclipse-foundation.org> wrote: > >> From CVE-2022-23437: >> >> There's a vulnerability within the Apache Xerces Java (XercesJ) XML >>> parser when handling specially crafted XML document payloads. This causes, >>> the XercesJ XML parser to wait in an infinite loop, which may sometimes >>> consume system resources for prolonged duration. This vulnerability is >>> present within XercesJ version 2.12.1 and *the previous versions*. >> >> >> More here: >> >>- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl >>- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 >> >> This particular version is in Orbit and in the Simultaneous Release. It >> appears that version 2.9 is also in the simultaneous release. According to >> the alert all versions are affected. >> >> According to the CQ record, several projects on the simultaneous release >> are using affected versions. >> >> If anybody from EclipseLink is monitoring this channel, you have a CQ for >> this library, but I haven't found it in your builds yet. You should >> probably also have a look. >> >> It seems that the reasonable mitigation strategy is to update to 2.12.2, >> but we'll need somebody to take the lead on that. Any volunteers? >> >> Wayne >> -- >> >> Wayne Beaton >> >> Director of Open Source Projects | Eclipse Foundation >> ___ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > > > -- > Regards, > Nitin Dahyabhai > Eclipse WTP PMC > -- Regards, Nitin Dahyabhai Eclipse WTP PMC ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
Wayne, I'll take it on. On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton < wayne.bea...@eclipse-foundation.org> wrote: > From CVE-2022-23437: > > There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser >> when handling specially crafted XML document payloads. This causes, the >> XercesJ XML parser to wait in an infinite loop, which may sometimes consume >> system resources for prolonged duration. This vulnerability is present >> within XercesJ version 2.12.1 and *the previous versions*. > > > More here: > >- https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl >- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437 > > This particular version is in Orbit and in the Simultaneous Release. It > appears that version 2.9 is also in the simultaneous release. According to > the alert all versions are affected. > > According to the CQ record, several projects on the simultaneous release > are using affected versions. > > If anybody from EclipseLink is monitoring this channel, you have a CQ for > this library, but I haven't found it in your builds yet. You should > probably also have a look. > > It seems that the reasonable mitigation strategy is to update to 2.12.2, > but we'll need somebody to take the lead on that. Any volunteers? > > Wayne > -- > > Wayne Beaton > > Director of Open Source Projects | Eclipse Foundation > ___ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Regards, Nitin Dahyabhai Eclipse WTP PMC ___ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev