You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-dev@xerces.apache.org by David Dillard <dd...@symantec.com> on 2014/09/30 15:59:24 UTC

Fix for CVE-2013-4002

Hi,

I noticed that Red Hat just released a fix for CVE-2013-4002 (https://access.redhat.com/security/cve/CVE-2013-4002).  I was wondering when a fix for this might be released by the project itself.  I searched through the mailing list archive looking for some mention of it, but didn't see anything.  However, as it's a security issue it may not have been discussed publicly.


--- David

Re: Fix for CVE-2013-4002

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

Hi,

I think that CVE originated from the JDK but very likely corresponds to 
this change [1] in Xerces which also happens to be a performance 
improvement. It would be included in the next release (no outlook on that 
yet). Users can apply this patch to the source if they need a fix earlier 
than that.

Thanks.

[1] 
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?annotate=1499506

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <dd...@symantec.com> wrote on 09/30/2014 09:59:24 AM:
 
> Hi,
> 
> I noticed that Red Hat just released a fix for CVE-2013-4002 (
> https://access.redhat.com/security/cve/CVE-2013-4002).  I was 
> wondering when a fix for this might be released by the project 
> itself.  I searched through the mailing list archive looking for 
> some mention of it, but didn’t see anything.  However, as it’s a 
> security issue it may not have been discussed publicly.
> 
> --- David