Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

[Mukul Gandhi <mu...@apache.org>]

Hi Jim,
   Requesting you to please, create a separate thread on "dev" list to
discuss this issue. You may also either create a Xerces bug or an
improvement request in JIRA.

On Mon, Apr 30, 2018 at 9:43 PM, Jim Manico <ji...@manicode.com> wrote:

> Forgive this disruption but Xerces allows external entity resolution to be
> enabled by default with is a major vulnerability. A simple config setting
> change would turn this, rightfully, off by default.
>
> For more info please see https://cwe.mitre.org/data/definitions/611.html
>
> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805
>
>


-- 
Regards,
Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

[Michael Glavassevich <mr...@ca.ibm.com>]

This has been discussed many times before. Users are required to configure 
XML parsers appropriately for the environment they're running their 
application in. JAXP provides many ways of disabling DTD processing and 
entity resolution. The default behaviour is what's required by the spec. 
It isn't changing.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Mukul Gandhi <mu...@apache.org> wrote on 05/01/2018 01:37:22 AM:

> Hi Jim,
>    Requesting you to please, create a separate thread on "dev" list 
> to discuss this issue. You may also either create a Xerces bug or an
> improvement request in JIRA.
> 
> On Mon, Apr 30, 2018 at 9:43 PM, Jim Manico <ji...@manicode.com> wrote:
> Forgive this disruption but Xerces allows external entity resolution
> to be enabled by default with is a major vulnerability. A simple 
> config setting change would turn this, rightfully, off by default.
> 
> For more info please see https://cwe.mitre.org/data/definitions/611.html

> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805 
> 

> 
> -- 
> Regards,
> Mukul Gandhi