You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2010/07/31 23:44:16 UTC
[jira] Resolved: (AXIS2-4450) CVE-2010-1632: Message builders for
SOAP and XML should not attempt to load DTDs
[ https://issues.apache.org/jira/browse/AXIS2-4450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen resolved AXIS2-4450.
------------------------------------
Fix Version/s: 1.6
1.5.2
Resolution: Fixed
Fixed by r944915 on the trunk.
Fixed by r952764 on the 1.5 branch.
> CVE-2010-1632: Message builders for SOAP and XML should not attempt to load DTDs
> --------------------------------------------------------------------------------
>
> Key: AXIS2-4450
> URL: https://issues.apache.org/jira/browse/AXIS2-4450
> Project: Axis2
> Issue Type: Bug
> Components: kernel
> Reporter: Andreas Veithen
> Assignee: Andreas Veithen
> Fix For: 1.6, 1.5.2
>
>
> When Axis2 receives a message with a DOCTYPE declaration referencing a DTD (using a system ID), it will attempt to load that DTD. Since SOAP doesn't allow DTDs, we should not try to load it.
> See also: http://markmail.org/message/e4yiij7lfexastvl
> Note that the described behavior depends on the StAX parser implementation. For more information, see WSCOMMONS-394 (which also describes a potential solution for the present issue).
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org