You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by "Mukul Gandhi (Jira)" <xe...@xml.apache.org> on 2022/01/19 11:15:00 UTC
[jira] [Updated] (XERCESJ-1722) Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
[ https://issues.apache.org/jira/browse/XERCESJ-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mukul Gandhi updated XERCESJ-1722:
----------------------------------
Fix Version/s: 2.12.2
> Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
> -----------------------------------------------------------------------
>
> Key: XERCESJ-1722
> URL: https://issues.apache.org/jira/browse/XERCESJ-1722
> Project: Xerces2-J
> Issue Type: Bug
> Components: Serialization
> Affects Versions: 2.12.1
> Reporter: Olivier Jaquemet
> Assignee: Mukul Gandhi
> Priority: Major
> Fix For: 2.12.2
>
>
> The following jars are bundled in the Xerces-J 2.12.1 binary distribution :
> {{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 resolver.jar}}
> {{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391 serializer.jar*}}
> {{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad xml-apis.jar}}
> Extracting information from the MANIFEST :
> * resolver.jar / Implementation-Version: 1.2
> * *serializer.jar / Implementation-Version: 2.7.1*
> * xml-apis.jar / Implementation-Version: 1.4.01
> Problem :
> If it IS the xalan serializer 2.7.1 (which I could not confirmed from the hash), this version is vulnerable to CVE-2014-0107 :
> [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
> Xalan 2.7.2 was released in April 2014 and should probably be included to prevent uninformed user to rely the whole Xerces-J distribution.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org