[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] Potential vulnerability in Apache Xerces 1.12.1 (CVE-2022-23437)
|
i guess orbit can also decide to drop old stuff.
do you know how milestones are built? i still miss orbit m2
Am 31.01.22 um 15:12 schrieb Pierre-Charles David:
Le 27/01/2022 à 17:17, Pierre-Charles David a écrit :
Le 27/01/2022 à 01:25, Nitin Dahyabhai a écrit :
Of course, only now do I remember how much effort Aurélien had to go
through just to get the then-current version onto Maven Central.
According to https://issues.apache.org/jira/browse/XERCESJ-1735 it is
now available at
https://repo1.maven.org/maven2/xerces/xercesImpl/2.12.2/
I've proposed a patch to make the update in Orbit:
https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190077
The patch has been merged. A Orbit I-build with Xerces 2.12.2 (instead
of 2.12.1) is available at
https://download.eclipse.org/tools/orbit/downloads/drops/I20220131095416/repository/.
Note that because of the way Orbit repos are built, this also includes
the much older Xerces 2.9, which from the CVE is also affected by the
vulnerability and should be avoided.
On Wed, Jan 26, 2022 at 7:10 PM Nitin Dahyabhai
<thatnitind@xxxxxxxxx> wrote:
Wayne,
I'll take it on.
On Wed, Jan 26, 2022 at 5:02 PM Wayne Beaton
<wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx> wrote:
From CVE-2022-23437:
There's a vulnerability within the Apache Xerces Java
(XercesJ) XML parser when handling specially crafted XML
document payloads. This causes, the XercesJ XML parser to
wait in an infinite loop, which may sometimes consume
system resources for prolonged duration. This
vulnerability is present within XercesJ version 2.12.1
and /the previous versions/.
More here:
*
https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
*
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23437
This particular version is in Orbit and in the Simultaneous
Release. It appears that version 2.9 is also in the
simultaneous release. According to the alert all versions are
affected.
According to the CQ record, several projects on the
simultaneous release are using affected versions.
If anybody from EclipseLink is monitoring this channel, you
have a CQ for this library, but I haven't found it in your
builds yet. You should probably also have a look.
It seems that the reasonable mitigation strategy is to update
to 2.12.2, but we'll need somebody to take the lead on that.
Any volunteers?
Wayne
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
-- Regards,
Nitin Dahyabhai
Eclipse WTP PMC
--
Regards,
Nitin Dahyabhai
Eclipse WTP PMC
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Pierre-Charles David (Obeo)
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle,
Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann
Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), Harald
Goertz, Eric Swehla
Sitz der Gesellschaft/Registered Office: Am Brambusch
15-24, 44536 Lünen (Germany)
Registergericht/Registry Court: Amtsgericht
Dortmund | HRB 20621