On 2010/06/18 22:21, Daniel Kulp wrote: > On Thursday 17 June 2010 11:17:13 pm Nikolay Elenkov wrote:
>> >> So I guess we are safe. Anyone that built using Maven should get the same, >> so it should be mostly OK? Unless of course their appserver ignores the >> bundled parser and uses the system one for some reason. > > Well, I'm still not sure if the section 5.2 vulnerability isn't still an > issue. In this case, did Woodstox parse the DTD (and thus hit the google > URL) before returning the DTD event. I don't know. You would need to > wireshark or something to see if a URL connection is going out to google. I forgot to say so in my last email, but I was monitoring the test with Wireshark. There were not outgoing requrests. > ..... > > Actually, just tried it. With woodstox as the parser, I don't see any > outgoing requests. With the parser built into the JDK, I do. (with 2.2.8 > and earlier) > > With the new CXF releases, I don't see any outgoing hits with either parser. > > Thus, for SOAP endpoints, if you are 100% sure you are using Woodstox, then > you shouldn't be vulnerable. As you said, by default, our maven deps pull > in > woodstox so hopefully most people are OK. Upgrading is still strongly > recommended to be sure though. > Thanks.
