You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by Gary Gregory <ga...@gmail.com> on 2014/04/22 22:26:07 UTC
[RESULT][VOTE] Release Apache Xalan-J 2.7.2-RC1 as 2.7.2
The VOTE to release Xalan 2.7.2-RC1 as 2.7.2 passes with the following
votes:
Binding +1 votes:
Gary Gregory (ggregory)
Gareth Reakes (gareth)
Steven J. Hathaway (shathaway)
Michael Glavassevich (mrglavas)
Non-Binding +1 votes:
yk3rg52xn7@snkmail.com
Per Arnold Blåsmo (Per.Arnold@blaasmo.no)
Vote thread: https://www.mail-archive.com/dev@xalan.apache.org/msg00554.html
Xalan PMC: https://people.apache.org/committers-by-project.html#xalan-pmc
Thank you all for your patience,
Gary Gregory
PS: Now for the tricky part of releasing when it has not been done in a
long time...
On Wed, Mar 26, 2014 at 2:59 PM, Gary Gregory <ga...@gmail.com>wrote:
> Hello All:
>
> This is a VOTE to release Apache Xalan-J 2.7.2-RC1 as 2.7.2
>
> This is a bug fix release. As before, Xalan-J requires a minimum of Java
> 1.3.
>
> The Apache Xalan-J team is pleased to announce the Apache Xalan-J 2.7.2
> release!
>
> Xalan-Java fully implements XSL Transformations (XSLT) Version 1.0 and the
> XML Path Language (XPath) Version 1.0.
>
> Changes in this version include:
>
> Fixed Bugs:
>
> - Fix for CVE-2014-0107 insufficient secure processing
>
> When using FEATURE_SECURE_PROCESSING ("
> http://javax.xml.XMLConstants/feature/secure-processing") on a
> TransformerFactory, the output properties:
>
> {http://xml.apache.org/xalan}content-handler
> {http://xml.apache.org/xalan}entities
> {http://xml.apache.org/xslt}content-handler
> {http://xml.apache.org/xslt}entities
>
> should be ignored (see
> http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
>
> These properties can be used to load an arbitrary class or access an
> arbitrary URL/resource so are problematic when secure processing is desired.
>
> <xsl:output xalan:content-handler="org.example.BadClass" ...
>
> <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
>
> These features could be used to load a class that had undesirable
> side-effects or to load a large file and exhaust memory, etc.
>
> See XALANJ-2435.
>
> - Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01
>
> The distributions contain upgraded versions of xercesImpl.jar (Xerces-J
> 2.11.0) and xml-apis.jar (XML Commons External 1.4.01).
>
>
> - XALANJ Jira bug fixes
>
> XALANJ Jira bug fixes: 2435, 2580, 2546, 2581, 2582, 2583, 2473, 2495,
> 2493, 2424, 2446, 2447
>
> You can also view the list in Jira:
> https://issues.apache.org/jira/browse/XALANJ-2424?jql=project%20%3D%20XALANJ%20AND%20fixVersion%20%3D%202.7.2%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20created%20ASC
>
> This VOTE is open for at least 72 hours until March 29 2014 at 15:00 PM
> EST.
>
> The files:
>
> https://people.apache.org/~ggregory/xalan/2.7.1-rc1/dist/
>
> The tags:
>
> https://svn.apache.org/repos/asf/xalan/java/tags/xalan-j_2_7_2-rc1
> https://svn.apache.org/repos/asf/xalan/test/tags/xalan-j_2_7_2-rc1
>
> The docs:
>
> https://people.apache.org/~ggregory/xalan/2.7.1-rc1/site/
>
> Thank you,
> Gary Gregory
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: [RESULT][VOTE] Release Apache Xalan-J 2.7.2-RC1 as 2.7.2
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Excellent! Gary, thanks for driving this.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Gary Gregory <ga...@gmail.com> wrote on 04/22/2014 04:26:07 PM:
> The VOTE to release Xalan 2.7.2-RC1 as 2.7.2 passes with the following
votes:
>
> Binding +1 votes:
>
> Gary Gregory (ggregory)
> Gareth Reakes (gareth)
> Steven J. Hathaway (shathaway)
> Michael Glavassevich (mrglavas)
>
> Non-Binding +1 votes:
>
> yk3rg52xn7@snkmail.com
> Per Arnold Blåsmo (Per.Arnold@blaasmo.no)
>
> Vote thread:
https://www.mail-archive.com/dev@xalan.apache.org/msg00554.html
> Xalan PMC:
https://people.apache.org/committers-by-project.html#xalan-pmc
> Thank you all for your patience,
> Gary Gregory
> PS: Now for the tricky part of releasing when it has not been done
> in a long time...
>
> On Wed, Mar 26, 2014 at 2:59 PM, Gary Gregory <ga...@gmail.com>
wrote:
> Hello All:
>
> This is a VOTE to release Apache Xalan-J 2.7.2-RC1 as 2.7.2
>
> This is a bug fix release. As before, Xalan-J requires a minimum of Java
1.3.
>
> The Apache Xalan-J team is pleased to announce the Apache Xalan-J 2.
> 7.2 release!
>
> Xalan-Java fully implements XSL Transformations (XSLT) Version 1.0
> and the XML Path Language (XPath) Version 1.0.
>
> Changes in this version include:
>
> Fixed Bugs:
>
> - Fix for CVE-2014-0107 insufficient secure processing
>
> When using FEATURE_SECURE_PROCESSING ("http://
> javax.xml.XMLConstants/feature/secure-processing") on a
> TransformerFactory, the output properties:
>
> {http://xml.apache.org/xalan}content-handler
> {http://xml.apache.org/xalan}entities
> {http://xml.apache.org/xslt}content-handler
> {http://xml.apache.org/xslt}entities
>
> should be ignored (see http://xml.apache.org/xalan-j/
> usagepatterns.html#outputprops)
>
> These properties can be used to load an arbitrary class or access an
> arbitrary URL/resource so are problematic when secure processing is
desired.
>
> <xsl:output xalan:content-handler="org.example.BadClass" ...
>
> <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
>
> These features could be used to load a class that had undesirable
> side-effects or to load a large file and exhaust memory, etc.
>
> See XALANJ-2435.
>
> - Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01
>
> The distributions contain upgraded versions of xercesImpl.jar
> (Xerces-J 2.11.0) and xml-apis.jar (XML Commons External 1.4.01).
>
>
> - XALANJ Jira bug fixes
>
> XALANJ Jira bug fixes: 2435, 2580, 2546, 2581, 2582, 2583, 2473,
> 2495, 2493, 2424, 2446, 2447
>
> You can also view the list in Jira: https://issues.apache.org/jira/
> browse/XALANJ-2424?jql=project%20%3D%20XALANJ%20AND%20fixVersion%20%
>
3D%202.7.2%20ORDER%20BY%20due%20ASC%2C%20priority%20DESC%2C%20created%20ASC
>
> This VOTE is open for at least 72 hours until March 29 2014 at 15:00 PM
EST.
>
> The files:
>
> https://people.apache.org/~ggregory/xalan/2.7.1-rc1/dist/
>
> The tags:
>
> https://svn.apache.org/repos/asf/xalan/java/tags/xalan-j_2_7_2-rc1
> https://svn.apache.org/repos/asf/xalan/test/tags/xalan-j_2_7_2-rc1
>
> The docs:
>
> https://people.apache.org/~ggregory/xalan/2.7.1-rc1/site/
>
> Thank you,
> Gary Gregory
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition
> JUnit in Action, Second Edition
> Spring Batch in Action
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>
>
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition
> JUnit in Action, Second Edition
> Spring Batch in Action
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org