Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE

+1

On Tue, Sep 5, 2017 at 8:17 PM, Brian de Alwis <briandealwis@xxxxxxxxx> wrote:
> Dear PMC,
>
> An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse
> Platform (https://bugs.eclipse.org/bugs/show_bug.cgi?id=518031).  The Open
> Web Application Security Project (OWASP) has a page explaining the impacts
> of XXE vulnerabilities.
>
> A fix has been released for Photon to configure the relevant locations that
> parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING`
> feature which disables requesting external DTDs and schemas and limits
> entity processing. The JRE requires that all parsers support the
> `XMLConstants.FEATURE_SECURE_PROCESSING` feature.
>
> Given that the fix is small, and a malicious p2 site could be assembled to
> obtain the content of local files, I'd like to request that we backport and
> include this fix for Oxygen.1.
>
> https://git.eclipse.org/r/104388
>
> Brian.
>
> _______________________________________________
> eclipse-pmc mailing list
> eclipse-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/eclipse-pmc



-- 
Eclipse Platform UI and e4 project co-lead
CEO vogella GmbH

Haindaalwisch 17a, 22395 Hamburg
Amtsgericht Hamburg: HRB 127058
Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
USt-IdNr.: DE284122352
Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web: http://www.vogella.com


Back to the top