xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 16:13:25 GMT

Elliotte Rusty Harold <elharo@ibiblio.org> wrote on 08/11/2009 09:51:56 AM:

> On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey Sinclair<jeff@cooljeff.co.uk>
> > Thanks Michael.
> >
> > I'm going to see if I can provide feedback to cert.fi. Their original
> > vulnerability report suggests that it is a Java problem too. Not only
> > have they listed 'all' versions of Xerces but they have also listed the
> > JAXP impl bundled in the JDK (which I know is no longer Xerces).
> >
> Really? Since when. I know it used to be Xerces, and I thought it
> still was (modulo Sun patches and repackaging). In what version did
> this change?

I think Jeff was referring to the amount of forking which Sun has done to
Xerces. At this point I believe what they ship is very different than
Apache Xerces. I'm not sure how folks got the impression that it's just
"patches". I understand that they did significant development and
re-architecture to accommodate StAX, work which has never made its way into
the Apache codebase. Ditto for what was in Java 5 (for JAXP 1.3), also
released by Sun before Xerces ever had those capabilities.

> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org


Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
View raw message