Security vulnerability - CVE-2018-1311

[BEEK Graham <gr...@capgemini.com.INVALID>]

Hi,

I've just heard about this vulnerability in Xerces-C 3.2.2.

Although I can see the advisory, there's no mention of it in the bug list. Is this intentional? I was expecting some kind of analysis/response, if not a fix. Looks like it was reported over a year ago. I'm not sure of the timeframe of this sort of thing, maybe it needs to be verified before being acted on?

Anyway, I was just wondering what the state of it is and whether there's any "official" response, even if it's still "we're looking at it".

Cheers,
Graham
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

RE: Security vulnerability - CVE-2018-1311

[BEEK Graham <gr...@capgemini.com.INVALID>]

That's great Alberto. Many thanks. I don't know why my search didn't find it!

Cheers,
Graham

-----Original Message-----
From: Alberto Massari <al...@tiscali.it> 
Sent: 28 May 2021 11:13
To: c-users@xerces.apache.org
Subject: Re: Security vulnerability - CVE-2018-1311

Hi Graham,
the issue is tracked by https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_XERCESC-2D2188&d=DwIC-g&c=cxWN2QSDopt5SklNfbjIjg&r=Wl61nXdRfIRnjZZNtPVJFuBXLtD4MireJC9mpFT6kgk&m=jJUjteQnpRWlk3YEuJwMW1sbMCXHiBIT9bZVtih0pa0&s=zrgZRhmRcX7pn684FSSzG8pY6tIjLsChmT5kzblDpAE&e= 

Alberto

Il 28/05/21 11:21, BEEK Graham ha scritto:
> Hi,
>
> I've just heard about this vulnerability in Xerces-C 3.2.2.
>
> Although I can see the advisory, there's no mention of it in the bug list. Is this intentional? I was expecting some kind of analysis/response, if not a fix. Looks like it was reported over a year ago. I'm not sure of the timeframe of this sort of thing, maybe it needs to be verified before being acted on?
>
> Anyway, I was just wondering what the state of it is and whether there's any "official" response, even if it's still "we're looking at it".
>
> Cheers,
> Graham
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
>

Re: Security vulnerability - CVE-2018-1311

[Alberto Massari <al...@tiscali.it>]

Hi Graham,
the issue is tracked by https://issues.apache.org/jira/browse/XERCESC-2188

Alberto

Il 28/05/21 11:21, BEEK Graham ha scritto:
> Hi,
>
> I've just heard about this vulnerability in Xerces-C 3.2.2.
>
> Although I can see the advisory, there's no mention of it in the bug list. Is this intentional? I was expecting some kind of analysis/response, if not a fix. Looks like it was reported over a year ago. I'm not sure of the timeframe of this sort of thing, maybe it needs to be verified before being acted on?
>
> Anyway, I was just wondering what the state of it is and whether there's any "official" response, even if it's still "we're looking at it".
>
> Cheers,
> Graham
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
>