Community
Participate
Working Groups
Current offering is a build of Xerces 2.9. I'd like one for 2.12, similarly without the embedded jar files of the original download. Changelog: https://xerces.apache.org/xerces2-j/releases.html https://dev.eclipse.org/ipzilla/show_bug.cgi?id=1148 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=16951 https://dev.eclipse.org/ipzilla/show_bug.cgi?id=17773
Altering severity due to the StackOverflowError, reported by one of our users, that's already fixed in newer releases.
It's also required for common XXE vulnerability fix: support for XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_SCHEMA https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE) http://cwe.mitre.org/data/definitions/611.html http://cwe.mitre.org/data/definitions/827.html
There is also bug 549827 As I see also javax.xml should be updated to 1.4.01 Can any Orbit commiter start IP process?
*** Bug 549827 has been marked as a duplicate of this bug. ***
*** Bug 565547 has been marked as a duplicate of this bug. ***
I think that this bug could be closed now. Since Orbit R20210223232630 for 2021-03 Xerces 2.12.1 is provided. https://download.eclipse.org/tools/orbit/downloads/drops/R20210223232630/repository
