xerces-j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Fix for CVE-2013-4002
Date Thu, 16 Oct 2014 19:24:22 GMT
Hi,

I think that CVE originated from the JDK but very likely corresponds to 
this change [1] in Xerces which also happens to be a performance 
improvement. It would be included in the next release (no outlook on that 
yet). Users can apply this patch to the source if they need a fix earlier 
than that.

Thanks.

[1] 
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?annotate=1499506

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <ddillard@symantec.com> wrote on 09/30/2014 09:59:24 AM:
 
> Hi,
> 
> I noticed that Red Hat just released a fix for CVE-2013-4002 (
> https://access.redhat.com/security/cve/CVE-2013-4002).  I was 
> wondering when a fix for this might be released by the project 
> itself.  I searched through the mailing list archive looking for 
> some mention of it, but didn’t see anything.  However, as it’s a 
> security issue it may not have been discussed publicly.
> 
> --- David
Mime
View raw message