Can someone from the Eclipse PMC mark the bug as PMC approved. I want to make sure we are explicit in the request to spin an RC4 for Oxygen.1 on this issue.
Actually if you are not an equinox committer you may not have access to the security bug? But I know at least Alex should be able to approve.
Tom
----- Original message -----
From: Lars Vogel <lars.vogel@xxxxxxxxxxx>
Sent by: eclipse-pmc-bounces@xxxxxxxxxxx
To: eclipse-pmc@xxxxxxxxxxx
Cc:
Subject: Re: [eclipse-pmc] Timing for fix for Bug 518031: XML External Entity Vulnerability in Eclipse IDE
Date: Wed, Sep 6, 2017 1:56 AM
+1
On Tue, Sep 5, 2017 at 8:17 PM, Brian de Alwis <briandealwis@xxxxxxxxx> wrote:
> Dear PMC,
>
> An XML External Entity Vulnerability (XXE) bug was identified in the Eclipse
> Platform (https://urldefense.proofpoint.com/v2/url?u=https-3A__bugs.eclipse.org_bugs_show-5Fbug.cgi-3Fid-3D518031&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=iomWhy6ev12RdPFPYDLehPqlQJ-BwH-oDncOR44Z2B0&e= ). The Open
> Web Application Security Project (OWASP) has a page explaining the impacts
> of XXE vulnerabilities.
>
> A fix has been released for Photon to configure the relevant locations that
> parse external XML to use the `XMLConstants.FEATURE_SECURE_PROCESSING`
> feature which disables requesting external DTDs and schemas and limits
> entity processing. The JRE requires that all parsers support the
> `XMLConstants.FEATURE_SECURE_PROCESSING` feature.
>
> Given that the fix is small, and a malicious p2 site could be assembled to
> obtain the content of local files, I'd like to request that we backport and
> include this fix for Oxygen.1.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__git.eclipse.org_r_104388&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=gQq26Bpp_7vW9n7rCKM0yp7dsc2sfjIs5U0i-YW_rFU&e=
>
> Brian.
>
> _______________________________________________
> eclipse-pmc mailing list
> eclipse-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_eclipse-2Dpmc&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=T1ZFGiRGEYCrMsE4tmYPDr1KB6uwkDWxc193gWnXou0&e=
--
Eclipse Platform UI and e4 project co-lead
CEO vogella GmbH
Haindaalwisch 17a, 22395 Hamburg
Amtsgericht Hamburg: HRB 127058
Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
USt-IdNr.: DE284122352
Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.vogella.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=x62N5mvmXiCYaEk1lzMPFzh3Vv5gQczS1pPFihR9wV0&e=
_______________________________________________
eclipse-pmc mailing list
eclipse-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__dev.eclipse.org_mailman_listinfo_eclipse-2Dpmc&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=3-qYstlOBrDWVXBRYgDzeD3MPiHRf4H1I9lQI7v6zYs&m=k-BHj6jI8lipokPfCRfE_bBsuZ7cvgcXHytTlBalh3g&s=T1ZFGiRGEYCrMsE4tmYPDr1KB6uwkDWxc193gWnXou0&e=
