xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 20:11:20 GMT

Jeff,

Jeffrey Sinclair <jeff@cooljeff.co.uk> wrote on 08/11/2009 03:38:23 PM:

> Michael,
>
> I followed up with the cert.fi group, who posted the vulnerability, to
> clarify the impact they mentioned in the Java implementations. As you
> pointed out, the DOS issue with Xerces-C is different. On the Java side
> they were specifically refering to bad characters in the DTD which can
> result in an infinite loop. This appears to have been patched recently
> in Xerces-J [1]. I also received a mail outside of the group
> re-iterating what cert.fi told me (thanks to Steve Jones).
>
> Could you confirm that the check-in to the XMLScanner [1] was intended
> to fix this vulnerability? Also are there any plans for a 2.9.2 to be
> released to resolve this?

It likely fixes the same issue. The next release is 2.10.0. It's been in
the queue for awhile and would like to see it come out some time before the
end of the year. Users of earlier releases should be able to work around it
by enabling (if appropriate for their application) the "
disallow-doctype-decl" feature I mentioned.

Thanks.

Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Mime
View raw message