You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-users@xerces.apache.org by David Dillard <Da...@veritas.com> on 2018/04/30 15:02:28 UTC

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

I asked before about getting a CVE for the issue I raised that was fixed, and about a security advisory.  I don’t recall seeing a response.

Can that please be done as well?  I don’t know what the internal Apache process is for getting CVEs, but there’s got to be one.

From: Mukul Gandhi [mailto:mukulg@apache.org]
Sent: Sunday, April 29, 2018 11:45 PM
To: j-dev@xerces.apache.org; private@xerces.apache.org; j-users@xerces.apache.org
Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Hi all,
   The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all from PMC members) and no other votes:

+1 by:

Gareth Reakes (PMC)

Michael Glavassevich (PMC)

Mukul Gandhi (PMC)

The release should be up on the mirror sites very soon.

On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org>> wrote:
Hi all,
   The 1st voting for Xerces-J 2.12.0 release was stopped, due to certain issues that were in the release candidates (RC) that were found by the reviewers ([5]). Those have been fixed now, and I'm initiating this new mail for the Vote for new RC.

I've uploaded Xerces-J 2.12.0 release candidates (the revised one) to [1] for review. In this release candidate there are two sets of packages, the main release built from the trunk [2] and the XML Schema 1.1 release built from the XML Schema 1.1 development branch [3]. The change summary is available here [4] in JIRA. 81 issues (plus issues that were mentioned, during the review of 1st RC) were resolved.

Test results have been looking good, so I'd like to call an official vote now on the release.

To start, here's my +1.

Great work everyone.

[1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
Revision 26468

[2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
Directory revision: 1829687 (of 1829689)

[3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/
Directory revision: 1829688 (of 1829689)

[4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10520&version=12336542

[5] https://markmail.org/message/54obpdyqrn6nfzgi : discussion about previous RC, suggesting a revote

[6] Deleting .md5 hash files from the RC distribution at, https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision number in point [1] above. (suggestions from sebb, sebbaz@gmail.com<ma...@gmail.com> during this voting)

--
Regards,
Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

Would it be possible for you to connect me with these people so I can discuss it with them directly?


From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
Sent: Tuesday, May 22, 2018 12:14 PM
To: j-dev@xerces.apache.org
Cc: j-users@xerces.apache.org; mukulg@apache.org; private@xerces.apache.org
Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

CVE-2018-2799 was the only one we asked about, but it was security@'s opinion that we didn't need a new CVE for that one. Honestly, this isn't a subject I know much about. I think if this had been reported through the security team (under the assumption it was a newly discovered issue), following through the process [1] a new CVE would have been requested.

Thanks.

[1] https://www.apache.org/security/committers.html

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
E-mail: mrglavas@apache.org<ma...@apache.org>

David Dillard <Da...@veritas.com>> wrote on 05/22/2018 11:20:08 AM:

> From: David Dillard <Da...@veritas.com>>
> To: "j-dev@xerces.apache.org<ma...@xerces.apache.org>" <j-...@xerces.apache.org>>, "j-
> users@xerces.apache.org<ma...@xerces.apache.org>" <j-...@xerces.apache.org>>
> Cc: "mukulg@apache.org<ma...@apache.org>" <mu...@apache.org>>,
> "private@xerces.apache.org<ma...@xerces.apache.org>" <pr...@xerces.apache.org>>
> Date: 05/22/2018 11:30 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> Hi Michael,
>
> That’s ok for CVE-2012-0881, though the CPEs (affected software and
> versions) should be updated to reflect that the issue was fixed in
> 2.12.0.  I’m happy to send that request in if you like.
>
> However, for CVE-2013-4002 and CVE-2018-2799 I’m going to disagree ,
> as neither of them even mentions Xerces.  As is, the only way anyway
> would know that those two vulnerabilities were fixed in Xerces is to
> read the Xerces release announcement.  So, if someone relies on
> tools like Dependency Check, Black Duck or White Source (which can
> scan jars for known vulnerabilities) there’d be no issue flagged for
> Xerces 2.11.0 or earlier.  That’s bad.  I don’t think updating the
> CPEs for either of those vulnerabilities is really an option and IBM
> and Oracle issued them and the descriptions are specific to their
> products.  I think new CVEs are needed for these issues.
>
> Fixing vulnerabilities is obviously important, but making it easy
> for people to know those vulnerabilities have been fixed is also important.
>
>
> Regards,
>
> David
>
>
> From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
> Sent: Tuesday, May 22, 2018 9:52 AM
> To: j-users@xerces.apache.org<ma...@xerces.apache.org>
> Cc: j-dev@xerces.apache.org<ma...@xerces.apache.org>; mukulg@apache.org<ma...@apache.org>; private@xerces.apache.org<ma...@xerces.apache.org>
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> I thought the CVE was mentioned in the release announcement.
>
> The security team did eventually respond to us and said we shouldn't
> need a new CVE since it's the same source code that's affected.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
> E-mail: mrglavas@apache.org<ma...@apache.org>

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

CVE-2018-2799 was the only one we asked about, but it was security@'s 
opinion that we didn't need a new CVE for that one. Honestly, this isn't a 
subject I know much about. I think if this had been reported through the 
security team (under the assumption it was a newly discovered issue), 
following through the process [1] a new CVE would have been requested.

Thanks.

[1] https://www.apache.org/security/committers.html

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 05/22/2018 11:20:08 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, "j-
> users@xerces.apache.org" <j-...@xerces.apache.org>
> Cc: "mukulg@apache.org" <mu...@apache.org>, 
> "private@xerces.apache.org" <pr...@xerces.apache.org>
> Date: 05/22/2018 11:30 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Hi Michael,
> 
> That’s ok for CVE-2012-0881, though the CPEs (affected software and 
> versions) should be updated to reflect that the issue was fixed in 
> 2.12.0.  I’m happy to send that request in if you like.
> 
> However, for CVE-2013-4002 and CVE-2018-2799 I’m going to disagree ,
> as neither of them even mentions Xerces.  As is, the only way anyway
> would know that those two vulnerabilities were fixed in Xerces is to
> read the Xerces release announcement.  So, if someone relies on 
> tools like Dependency Check, Black Duck or White Source (which can 
> scan jars for known vulnerabilities) there’d be no issue flagged for
> Xerces 2.11.0 or earlier.  That’s bad.  I don’t think updating the 
> CPEs for either of those vulnerabilities is really an option and IBM
> and Oracle issued them and the descriptions are specific to their 
> products.  I think new CVEs are needed for these issues.
> 
> Fixing vulnerabilities is obviously important, but making it easy 
> for people to know those vulnerabilities have been fixed is also 
important.
> 
> 
> Regards,
> 
> David
> 
> 
> From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com] 
> Sent: Tuesday, May 22, 2018 9:52 AM
> To: j-users@xerces.apache.org
> Cc: j-dev@xerces.apache.org; mukulg@apache.org; 
private@xerces.apache.org
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I thought the CVE was mentioned in the release announcement.
> 
> The security team did eventually respond to us and said we shouldn't
> need a new CVE since it's the same source code that's affected.
> 
> Thanks.
> 
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

CVE-2018-2799 was the only one we asked about, but it was security@'s 
opinion that we didn't need a new CVE for that one. Honestly, this isn't a 
subject I know much about. I think if this had been reported through the 
security team (under the assumption it was a newly discovered issue), 
following through the process [1] a new CVE would have been requested.

Thanks.

[1] https://www.apache.org/security/committers.html

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 05/22/2018 11:20:08 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, "j-
> users@xerces.apache.org" <j-...@xerces.apache.org>
> Cc: "mukulg@apache.org" <mu...@apache.org>, 
> "private@xerces.apache.org" <pr...@xerces.apache.org>
> Date: 05/22/2018 11:30 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Hi Michael,
> 
> That’s ok for CVE-2012-0881, though the CPEs (affected software and 
> versions) should be updated to reflect that the issue was fixed in 
> 2.12.0.  I’m happy to send that request in if you like.
> 
> However, for CVE-2013-4002 and CVE-2018-2799 I’m going to disagree ,
> as neither of them even mentions Xerces.  As is, the only way anyway
> would know that those two vulnerabilities were fixed in Xerces is to
> read the Xerces release announcement.  So, if someone relies on 
> tools like Dependency Check, Black Duck or White Source (which can 
> scan jars for known vulnerabilities) there’d be no issue flagged for
> Xerces 2.11.0 or earlier.  That’s bad.  I don’t think updating the 
> CPEs for either of those vulnerabilities is really an option and IBM
> and Oracle issued them and the descriptions are specific to their 
> products.  I think new CVEs are needed for these issues.
> 
> Fixing vulnerabilities is obviously important, but making it easy 
> for people to know those vulnerabilities have been fixed is also 
important.
> 
> 
> Regards,
> 
> David
> 
> 
> From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com] 
> Sent: Tuesday, May 22, 2018 9:52 AM
> To: j-users@xerces.apache.org
> Cc: j-dev@xerces.apache.org; mukulg@apache.org; 
private@xerces.apache.org
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I thought the CVE was mentioned in the release announcement.
> 
> The security team did eventually respond to us and said we shouldn't
> need a new CVE since it's the same source code that's affected.
> 
> Thanks.
> 
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

Hi Michael,

That’s ok for CVE-2012-0881<https://nvd.nist.gov/vuln/detail/CVE-2012-0881>, though the CPEs (affected software and versions) should be updated to reflect that the issue was fixed in 2.12.0.  I’m happy to send that request in if you like.

However, for CVE-2013-4002<https://nvd.nist.gov/vuln/detail/CVE-2013-4002> and CVE-2018-2799<https://nvd.nist.gov/vuln/detail/CVE-2018-2799> I’m going to disagree , as neither of them even mentions Xerces.  As is, the only way anyway would know that those two vulnerabilities were fixed in Xerces is to read the Xerces release announcement.  So, if someone relies on tools like Dependency Check, Black Duck or White Source (which can scan jars for known vulnerabilities) there’d be no issue flagged for Xerces 2.11.0 or earlier.  That’s bad.  I don’t think updating the CPEs for either of those vulnerabilities is really an option and IBM and Oracle issued them and the descriptions are specific to their products.  I think new CVEs are needed for these issues.

Fixing vulnerabilities is obviously important, but making it easy for people to know those vulnerabilities have been fixed is also important.


Regards,

David


From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
Sent: Tuesday, May 22, 2018 9:52 AM
To: j-users@xerces.apache.org
Cc: j-dev@xerces.apache.org; mukulg@apache.org; private@xerces.apache.org
Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

I thought the CVE was mentioned in the release announcement.

The security team did eventually respond to us and said we shouldn't need a new CVE since it's the same source code that's affected.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
E-mail: mrglavas@apache.org<ma...@apache.org>

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

Hi Michael,

That’s ok for CVE-2012-0881<https://nvd.nist.gov/vuln/detail/CVE-2012-0881>, though the CPEs (affected software and versions) should be updated to reflect that the issue was fixed in 2.12.0.  I’m happy to send that request in if you like.

However, for CVE-2013-4002<https://nvd.nist.gov/vuln/detail/CVE-2013-4002> and CVE-2018-2799<https://nvd.nist.gov/vuln/detail/CVE-2018-2799> I’m going to disagree , as neither of them even mentions Xerces.  As is, the only way anyway would know that those two vulnerabilities were fixed in Xerces is to read the Xerces release announcement.  So, if someone relies on tools like Dependency Check, Black Duck or White Source (which can scan jars for known vulnerabilities) there’d be no issue flagged for Xerces 2.11.0 or earlier.  That’s bad.  I don’t think updating the CPEs for either of those vulnerabilities is really an option and IBM and Oracle issued them and the descriptions are specific to their products.  I think new CVEs are needed for these issues.

Fixing vulnerabilities is obviously important, but making it easy for people to know those vulnerabilities have been fixed is also important.


Regards,

David


From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
Sent: Tuesday, May 22, 2018 9:52 AM
To: j-users@xerces.apache.org
Cc: j-dev@xerces.apache.org; mukulg@apache.org; private@xerces.apache.org
Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

I thought the CVE was mentioned in the release announcement.

The security team did eventually respond to us and said we shouldn't need a new CVE since it's the same source code that's affected.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
E-mail: mrglavas@apache.org<ma...@apache.org>

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

I thought the CVE was mentioned in the release announcement.

The security team did eventually respond to us and said we shouldn't need 
a new CVE since it's the same source code that's affected.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 05/21/2018 10:25:25 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>
> Cc: "j-users@xerces.apache.org" <j-...@xerces.apache.org>, 
> "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> <pr...@xerces.apache.org>
> Date: 05/22/2018 09:45 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Any news on this?
> 
> 
> From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com] 
> Sent: Monday, April 30, 2018 11:54 AM
> To: j-dev@xerces.apache.org
> Cc: j-users@xerces.apache.org; mukulg@apache.org; 
private@xerces.apache.org
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I have asked security@ for guidance on what to do next.
> 
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
> 
> David Dillard <Da...@veritas.com> wrote on 04/30/2018 11:02:28 
AM:
> 
> > From: David Dillard <Da...@veritas.com>
> > To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, 
> > "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> > <pr...@xerces.apache.org>, "j-users@xerces.apache.org" <j-
> > users@xerces.apache.org>
> >
> > Date: 04/30/2018 11:32 AM
> > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> > 
> > I asked before about getting a CVE for the issue I raised that was 
> > fixed, and about a security advisory.  I don’t recall seeing a 
response.
> > 
> > Can that please be done as well?  I don’t know what the internal 
> > Apache process is for getting CVEs, but there’s got to be one.
> > 
> > 
> > From: Mukul Gandhi [mailto:mukulg@apache.org] 
> > Sent: Sunday, April 29, 2018 11:45 PM
> > To: j-dev@xerces.apache.org; private@xerces.apache.org; j-
> > users@xerces.apache.org
> > Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> > 
> > Hi all,
> >    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all 
> > from PMC members) and no other votes:
> > 
> > +1 by:
> > Gareth Reakes (PMC)
> > Michael Glavassevich (PMC)
> > Mukul Gandhi (PMC)
> > 
> > The release should be up on the mirror sites very soon.
> > 
> > 
> > On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org> 
wrote:
> > Hi all,
> >    The 1st voting for Xerces-J 2.12.0 release was stopped, due to 
> > certain issues that were in the release candidates (RC) that were 
> > found by the reviewers ([5]). Those have been fixed now, and I'm 
> > initiating this new mail for the Vote for new RC.
> > 
> > I've uploaded Xerces-J 2.12.0 release candidates (the revised one) 
> > to [1] for review. In this release candidate there are two sets of 
> > packages, the main release built from the trunk [2] and the XML 
> > Schema 1.1 release built from the XML Schema 1.1 development branch 
> > [3]. The change summary is available here [4] in JIRA. 81 issues 
> > (plus issues that were mentioned, during the review of 1st RC) 
> were resolved.
> > 
> > Test results have been looking good, so I'd like to call an official
> > vote now on the release.
> > 
> > To start, here's my +1.
> > 
> > Great work everyone.
> > 
> > [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> > Revision 26468
> > 
> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> > Directory revision: 1829687 (of 1829689)
> > 
> > [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> > xml-schema-1.1/
> > Directory revision: 1829688 (of 1829689)
> > 
> > [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> > projectId=10520&version=12336542
> > 
> > [5] https://markmail.org/message/54obpdyqrn6nfzgi: discussion about
> > previous RC, suggesting a revote
> > 
> > [6] Deleting .md5 hash files from the RC distribution at, https://
> > dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision 
> > number in point [1] above. (suggestions from sebb, sebbaz@gmail.com 
> > during this voting)
> > 
> > 
> 
> > 
> > -- 
> > Regards,
> > Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

I thought the CVE was mentioned in the release announcement.

The security team did eventually respond to us and said we shouldn't need 
a new CVE since it's the same source code that's affected.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 05/21/2018 10:25:25 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>
> Cc: "j-users@xerces.apache.org" <j-...@xerces.apache.org>, 
> "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> <pr...@xerces.apache.org>
> Date: 05/22/2018 09:45 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Any news on this?
> 
> 
> From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com] 
> Sent: Monday, April 30, 2018 11:54 AM
> To: j-dev@xerces.apache.org
> Cc: j-users@xerces.apache.org; mukulg@apache.org; 
private@xerces.apache.org
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I have asked security@ for guidance on what to do next.
> 
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
> 
> David Dillard <Da...@veritas.com> wrote on 04/30/2018 11:02:28 
AM:
> 
> > From: David Dillard <Da...@veritas.com>
> > To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, 
> > "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> > <pr...@xerces.apache.org>, "j-users@xerces.apache.org" <j-
> > users@xerces.apache.org>
> >
> > Date: 04/30/2018 11:32 AM
> > Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> > 
> > I asked before about getting a CVE for the issue I raised that was 
> > fixed, and about a security advisory.  I don’t recall seeing a 
response.
> > 
> > Can that please be done as well?  I don’t know what the internal 
> > Apache process is for getting CVEs, but there’s got to be one.
> > 
> > 
> > From: Mukul Gandhi [mailto:mukulg@apache.org] 
> > Sent: Sunday, April 29, 2018 11:45 PM
> > To: j-dev@xerces.apache.org; private@xerces.apache.org; j-
> > users@xerces.apache.org
> > Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> > 
> > Hi all,
> >    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all 
> > from PMC members) and no other votes:
> > 
> > +1 by:
> > Gareth Reakes (PMC)
> > Michael Glavassevich (PMC)
> > Mukul Gandhi (PMC)
> > 
> > The release should be up on the mirror sites very soon.
> > 
> > 
> > On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org> 
wrote:
> > Hi all,
> >    The 1st voting for Xerces-J 2.12.0 release was stopped, due to 
> > certain issues that were in the release candidates (RC) that were 
> > found by the reviewers ([5]). Those have been fixed now, and I'm 
> > initiating this new mail for the Vote for new RC.
> > 
> > I've uploaded Xerces-J 2.12.0 release candidates (the revised one) 
> > to [1] for review. In this release candidate there are two sets of 
> > packages, the main release built from the trunk [2] and the XML 
> > Schema 1.1 release built from the XML Schema 1.1 development branch 
> > [3]. The change summary is available here [4] in JIRA. 81 issues 
> > (plus issues that were mentioned, during the review of 1st RC) 
> were resolved.
> > 
> > Test results have been looking good, so I'd like to call an official
> > vote now on the release.
> > 
> > To start, here's my +1.
> > 
> > Great work everyone.
> > 
> > [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> > Revision 26468
> > 
> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> > Directory revision: 1829687 (of 1829689)
> > 
> > [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> > xml-schema-1.1/
> > Directory revision: 1829688 (of 1829689)
> > 
> > [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> > projectId=10520&version=12336542
> > 
> > [5] https://markmail.org/message/54obpdyqrn6nfzgi: discussion about
> > previous RC, suggesting a revote
> > 
> > [6] Deleting .md5 hash files from the RC distribution at, https://
> > dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision 
> > number in point [1] above. (suggestions from sebb, sebbaz@gmail.com 
> > during this voting)
> > 
> > 
> 
> > 
> > -- 
> > Regards,
> > Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

Any news on this?


From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
Sent: Monday, April 30, 2018 11:54 AM
To: j-dev@xerces.apache.org
Cc: j-users@xerces.apache.org; mukulg@apache.org; private@xerces.apache.org
Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

I have asked security@ for guidance on what to do next.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
E-mail: mrglavas@apache.org<ma...@apache.org>

David Dillard <Da...@veritas.com>> wrote on 04/30/2018 11:02:28 AM:

> From: David Dillard <Da...@veritas.com>>
> To: "j-dev@xerces.apache.org<ma...@xerces.apache.org>" <j-...@xerces.apache.org>>,
> "mukulg@apache.org<ma...@apache.org>" <mu...@apache.org>>, "private@xerces.apache.org<ma...@xerces.apache.org>"
> <pr...@xerces.apache.org>>, "j-users@xerces.apache.org<ma...@xerces.apache.org>" <j-
> users@xerces.apache.org<ma...@xerces.apache.org>>
>
> Date: 04/30/2018 11:32 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> I asked before about getting a CVE for the issue I raised that was
> fixed, and about a security advisory.  I don’t recall seeing a response.
>
> Can that please be done as well?  I don’t know what the internal
> Apache process is for getting CVEs, but there’s got to be one.
>
>
> From: Mukul Gandhi [mailto:mukulg@apache.org]
> Sent: Sunday, April 29, 2018 11:45 PM
> To: j-dev@xerces.apache.org<ma...@xerces.apache.org>; private@xerces.apache.org<ma...@xerces.apache.org>; j-
> users@xerces.apache.org<ma...@xerces.apache.org>
> Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> Hi all,
>    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all
> from PMC members) and no other votes:
>
> +1 by:
> Gareth Reakes (PMC)
> Michael Glavassevich (PMC)
> Mukul Gandhi (PMC)
>
> The release should be up on the mirror sites very soon.
>
>
> On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org>> wrote:
> Hi all,
>    The 1st voting for Xerces-J 2.12.0 release was stopped, due to
> certain issues that were in the release candidates (RC) that were
> found by the reviewers ([5]). Those have been fixed now, and I'm
> initiating this new mail for the Vote for new RC.
>
> I've uploaded Xerces-J 2.12.0 release candidates (the revised one)
> to [1] for review. In this release candidate there are two sets of
> packages, the main release built from the trunk [2] and the XML
> Schema 1.1 release built from the XML Schema 1.1 development branch
> [3]. The change summary is available here [4] in JIRA. 81 issues
> (plus issues that were mentioned, during the review of 1st RC) were resolved.
>
> Test results have been looking good, so I'd like to call an official
> vote now on the release.
>
> To start, here's my +1.
>
> Great work everyone.
>
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> Revision 26468
>
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> Directory revision: 1829687 (of 1829689)
>
> [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> xml-schema-1.1/
> Directory revision: 1829688 (of 1829689)
>
> [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=10520&version=12336542
>
> [5] https://markmail.org/message/54obpdyqrn6nfzgi: discussion about
> previous RC, suggesting a revote
>
> [6] Deleting .md5 hash files from the RC distribution at, https://
> dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision
> number in point [1] above. (suggestions from sebb, sebbaz@gmail.com<ma...@gmail.com>
> during this voting)
>
>

>
> --
> Regards,
> Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

Any news on this?


From: Michael Glavassevich [mailto:mrglavas@ca.ibm.com]
Sent: Monday, April 30, 2018 11:54 AM
To: j-dev@xerces.apache.org
Cc: j-users@xerces.apache.org; mukulg@apache.org; private@xerces.apache.org
Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

I have asked security@ for guidance on what to do next.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
E-mail: mrglavas@apache.org<ma...@apache.org>

David Dillard <Da...@veritas.com>> wrote on 04/30/2018 11:02:28 AM:

> From: David Dillard <Da...@veritas.com>>
> To: "j-dev@xerces.apache.org<ma...@xerces.apache.org>" <j-...@xerces.apache.org>>,
> "mukulg@apache.org<ma...@apache.org>" <mu...@apache.org>>, "private@xerces.apache.org<ma...@xerces.apache.org>"
> <pr...@xerces.apache.org>>, "j-users@xerces.apache.org<ma...@xerces.apache.org>" <j-
> users@xerces.apache.org<ma...@xerces.apache.org>>
>
> Date: 04/30/2018 11:32 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> I asked before about getting a CVE for the issue I raised that was
> fixed, and about a security advisory.  I don’t recall seeing a response.
>
> Can that please be done as well?  I don’t know what the internal
> Apache process is for getting CVEs, but there’s got to be one.
>
>
> From: Mukul Gandhi [mailto:mukulg@apache.org]
> Sent: Sunday, April 29, 2018 11:45 PM
> To: j-dev@xerces.apache.org<ma...@xerces.apache.org>; private@xerces.apache.org<ma...@xerces.apache.org>; j-
> users@xerces.apache.org<ma...@xerces.apache.org>
> Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
>
> Hi all,
>    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all
> from PMC members) and no other votes:
>
> +1 by:
> Gareth Reakes (PMC)
> Michael Glavassevich (PMC)
> Mukul Gandhi (PMC)
>
> The release should be up on the mirror sites very soon.
>
>
> On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org>> wrote:
> Hi all,
>    The 1st voting for Xerces-J 2.12.0 release was stopped, due to
> certain issues that were in the release candidates (RC) that were
> found by the reviewers ([5]). Those have been fixed now, and I'm
> initiating this new mail for the Vote for new RC.
>
> I've uploaded Xerces-J 2.12.0 release candidates (the revised one)
> to [1] for review. In this release candidate there are two sets of
> packages, the main release built from the trunk [2] and the XML
> Schema 1.1 release built from the XML Schema 1.1 development branch
> [3]. The change summary is available here [4] in JIRA. 81 issues
> (plus issues that were mentioned, during the review of 1st RC) were resolved.
>
> Test results have been looking good, so I'd like to call an official
> vote now on the release.
>
> To start, here's my +1.
>
> Great work everyone.
>
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> Revision 26468
>
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> Directory revision: 1829687 (of 1829689)
>
> [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> xml-schema-1.1/
> Directory revision: 1829688 (of 1829689)
>
> [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=10520&version=12336542
>
> [5] https://markmail.org/message/54obpdyqrn6nfzgi: discussion about
> previous RC, suggesting a revote
>
> [6] Deleting .md5 hash files from the RC distribution at, https://
> dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision
> number in point [1] above. (suggestions from sebb, sebbaz@gmail.com<ma...@gmail.com>
> during this voting)
>
>

>
> --
> Regards,
> Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

I have asked security@ for guidance on what to do next.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 04/30/2018 11:02:28 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, 
> "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> <pr...@xerces.apache.org>, "j-users@xerces.apache.org" <j-
> users@xerces.apache.org>
>
> Date: 04/30/2018 11:32 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I asked before about getting a CVE for the issue I raised that was 
> fixed, and about a security advisory.  I don’t recall seeing a response.
> 
> Can that please be done as well?  I don’t know what the internal 
> Apache process is for getting CVEs, but there’s got to be one.
> 
> 
> From: Mukul Gandhi [mailto:mukulg@apache.org] 
> Sent: Sunday, April 29, 2018 11:45 PM
> To: j-dev@xerces.apache.org; private@xerces.apache.org; j-
> users@xerces.apache.org
> Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Hi all,
>    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all 
> from PMC members) and no other votes:
> 
> +1 by:
> Gareth Reakes (PMC)
> Michael Glavassevich (PMC)
> Mukul Gandhi (PMC)
> 
> The release should be up on the mirror sites very soon.
> 
> 
> On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org> wrote:
> Hi all,
>    The 1st voting for Xerces-J 2.12.0 release was stopped, due to 
> certain issues that were in the release candidates (RC) that were 
> found by the reviewers ([5]). Those have been fixed now, and I'm 
> initiating this new mail for the Vote for new RC.
> 
> I've uploaded Xerces-J 2.12.0 release candidates (the revised one) 
> to [1] for review. In this release candidate there are two sets of 
> packages, the main release built from the trunk [2] and the XML 
> Schema 1.1 release built from the XML Schema 1.1 development branch 
> [3]. The change summary is available here [4] in JIRA. 81 issues 
> (plus issues that were mentioned, during the review of 1st RC) were 
resolved.
> 
> Test results have been looking good, so I'd like to call an official
> vote now on the release.
> 
> To start, here's my +1.
> 
> Great work everyone.
> 
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> Revision 26468
> 
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> Directory revision: 1829687 (of 1829689)
> 
> [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> xml-schema-1.1/
> Directory revision: 1829688 (of 1829689)
> 
> [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=10520&version=12336542
> 
> [5] https://markmail.org/message/54obpdyqrn6nfzgi : discussion about
> previous RC, suggesting a revote
> 
> [6] Deleting .md5 hash files from the RC distribution at, https://
> dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision 
> number in point [1] above. (suggestions from sebb, sebbaz@gmail.com 
> during this voting)
> 
> 

> 
> -- 
> Regards,
> Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

I’m ok with that for the release announcement.

From: Mukul Gandhi [mailto:mukulg@apache.org]
Sent: Wednesday, May 2, 2018 3:33 AM
To: j-dev@xerces.apache.org
Cc: private@xerces.apache.org; j-users@xerces.apache.org
Subject: Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>> wrote:
I asked before about getting a CVE for the issue I raised that was fixed, and about a security advisory.  I don’t recall seeing a response.

Can that please be done as well?  I don’t know what the internal Apache process is for getting CVEs, but there’s got to be one.

 Looking at the 2.12.0 release notes in JIRA, and the CVE which you pointed that we fixed, I propose to have following written within our 2.12.0 release announcement,

<text>
The following security issues, raised by users were fixed:

CVE-2012-0881 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

CVE-2013-4002 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

CVE-2018-2799 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799
</text>

Please let us know your opinion about this. Anyone else could also comment.

--
Regards,
Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by David Dillard <Da...@veritas.com>.

I’m ok with that for the release announcement.

From: Mukul Gandhi [mailto:mukulg@apache.org]
Sent: Wednesday, May 2, 2018 3:33 AM
To: j-dev@xerces.apache.org
Cc: private@xerces.apache.org; j-users@xerces.apache.org
Subject: Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>> wrote:
I asked before about getting a CVE for the issue I raised that was fixed, and about a security advisory.  I don’t recall seeing a response.

Can that please be done as well?  I don’t know what the internal Apache process is for getting CVEs, but there’s got to be one.

 Looking at the 2.12.0 release notes in JIRA, and the CVE which you pointed that we fixed, I propose to have following written within our 2.12.0 release announcement,

<text>
The following security issues, raised by users were fixed:

CVE-2012-0881 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

CVE-2013-4002 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

CVE-2018-2799 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799
</text>

Please let us know your opinion about this. Anyone else could also comment.

--
Regards,
Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Mukul Gandhi <mu...@apache.org>.

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>
wrote:

> I asked before about getting a CVE for the issue I raised that was fixed,
> and about a security advisory.  I don’t recall seeing a response.
>
>
>
> Can that please be done as well?  I don’t know what the internal Apache
> process is for getting CVEs, but there’s got to be one.
>

 Looking at the 2.12.0 release notes in JIRA, and the CVE which you pointed
that we fixed, I propose to have following written within our 2.12.0
release announcement,

<text>
The following security issues, raised by users were fixed:

CVE-2012-0881 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

CVE-2013-4002 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

CVE-2018-2799 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799
</text>

Please let us know your opinion about this. Anyone else could also comment.


-- 
Regards,
Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Mukul Gandhi <mu...@apache.org>.

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>
wrote:

> I asked before about getting a CVE for the issue I raised that was fixed,
> and about a security advisory.  I don’t recall seeing a response.
>
>
>
> Can that please be done as well?  I don’t know what the internal Apache
> process is for getting CVEs, but there’s got to be one.
>

 Looking at the 2.12.0 release notes in JIRA, and the CVE which you pointed
that we fixed, I propose to have following written within our 2.12.0
release announcement,

<text>
The following security issues, raised by users were fixed:

CVE-2012-0881 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

CVE-2013-4002 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

CVE-2018-2799 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2799
</text>

Please let us know your opinion about this. Anyone else could also comment.


-- 
Regards,
Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Mukul Gandhi <mu...@apache.org>.

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>
wrote:

> I asked before about getting a CVE for the issue I raised that was fixed,
> and about a security advisory.  I don’t recall seeing a response.
>

Michael (our PMC chair) wrote to Apache security@ about this issue, a day
or two ago. But there's been no response from Apache security@ yet. If
there's a reply from Apache security@ later about this, we could declare
these details (i.e security advisory you talked about) as a separate note.
But for now, it would be good that we make a announcement to the lists
about the Xerces 2.12.0 release.

-- 
Regards,
Mukul Gandhi

RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

I have asked security@ for guidance on what to do next.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

David Dillard <Da...@veritas.com> wrote on 04/30/2018 11:02:28 AM:

> From: David Dillard <Da...@veritas.com>
> To: "j-dev@xerces.apache.org" <j-...@xerces.apache.org>, 
> "mukulg@apache.org" <mu...@apache.org>, "private@xerces.apache.org"
> <pr...@xerces.apache.org>, "j-users@xerces.apache.org" <j-
> users@xerces.apache.org>
>
> Date: 04/30/2018 11:32 AM
> Subject: RE: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> I asked before about getting a CVE for the issue I raised that was 
> fixed, and about a security advisory.  I don’t recall seeing a response.
> 
> Can that please be done as well?  I don’t know what the internal 
> Apache process is for getting CVEs, but there’s got to be one.
> 
> 
> From: Mukul Gandhi [mailto:mukulg@apache.org] 
> Sent: Sunday, April 29, 2018 11:45 PM
> To: j-dev@xerces.apache.org; private@xerces.apache.org; j-
> users@xerces.apache.org
> Subject: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release
> 
> Hi all,
>    The vote to release Xerces-J 2.12.0 resulted in 3 +1 votes (all 
> from PMC members) and no other votes:
> 
> +1 by:
> Gareth Reakes (PMC)
> Michael Glavassevich (PMC)
> Mukul Gandhi (PMC)
> 
> The release should be up on the mirror sites very soon.
> 
> 
> On Mon, Apr 23, 2018 at 5:36 PM, Mukul Gandhi <mu...@apache.org> wrote:
> Hi all,
>    The 1st voting for Xerces-J 2.12.0 release was stopped, due to 
> certain issues that were in the release candidates (RC) that were 
> found by the reviewers ([5]). Those have been fixed now, and I'm 
> initiating this new mail for the Vote for new RC.
> 
> I've uploaded Xerces-J 2.12.0 release candidates (the revised one) 
> to [1] for review. In this release candidate there are two sets of 
> packages, the main release built from the trunk [2] and the XML 
> Schema 1.1 release built from the XML Schema 1.1 development branch 
> [3]. The change summary is available here [4] in JIRA. 81 issues 
> (plus issues that were mentioned, during the review of 1st RC) were 
resolved.
> 
> Test results have been looking good, so I'd like to call an official
> vote now on the release.
> 
> To start, here's my +1.
> 
> Great work everyone.
> 
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> Revision 26468
> 
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> Directory revision: 1829687 (of 1829689)
> 
> [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> xml-schema-1.1/
> Directory revision: 1829688 (of 1829689)
> 
> [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=10520&version=12336542
> 
> [5] https://markmail.org/message/54obpdyqrn6nfzgi : discussion about
> previous RC, suggesting a revote
> 
> [6] Deleting .md5 hash files from the RC distribution at, https://
> dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision 
> number in point [1] above. (suggestions from sebb, sebbaz@gmail.com 
> during this voting)
> 
> 

> 
> -- 
> Regards,
> Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Mukul Gandhi <mu...@apache.org>.

Hi David,

On Mon, Apr 30, 2018 at 8:32 PM, David Dillard <Da...@veritas.com>
wrote:

> I asked before about getting a CVE for the issue I raised that was fixed,
> and about a security advisory.  I don’t recall seeing a response.
>

Michael (our PMC chair) wrote to Apache security@ about this issue, a day
or two ago. But there's been no response from Apache security@ yet. If
there's a reply from Apache security@ later about this, we could declare
these details (i.e security advisory you talked about) as a separate note.
But for now, it would be good that we make a announcement to the lists
about the Xerces 2.12.0 release.

-- 
Regards,
Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

This has been discussed many times before. Users are required to configure 
XML parsers appropriately for the environment they're running their 
application in. JAXP provides many ways of disabling DTD processing and 
entity resolution. The default behaviour is what's required by the spec. 
It isn't changing.

Thanks.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Mukul Gandhi <mu...@apache.org> wrote on 05/01/2018 01:37:22 AM:

> Hi Jim,
>    Requesting you to please, create a separate thread on "dev" list 
> to discuss this issue. You may also either create a Xerces bug or an
> improvement request in JIRA.
> 
> On Mon, Apr 30, 2018 at 9:43 PM, Jim Manico <ji...@manicode.com> wrote:
> Forgive this disruption but Xerces allows external entity resolution
> to be enabled by default with is a major vulnerability. A simple 
> config setting change would turn this, rightfully, off by default.
> 
> For more info please see https://cwe.mitre.org/data/definitions/611.html

> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805 
> 

> 
> -- 
> Regards,
> Mukul Gandhi

Re: [EXTERNAL] [VOTE RESULTS]: Xerces-J 2.12.0 release

Posted by Mukul Gandhi <mu...@apache.org>.

Hi Jim,
   Requesting you to please, create a separate thread on "dev" list to
discuss this issue. You may also either create a Xerces bug or an
improvement request in JIRA.

On Mon, Apr 30, 2018 at 9:43 PM, Jim Manico <ji...@manicode.com> wrote:

> Forgive this disruption but Xerces allows external entity resolution to be
> enabled by default with is a major vulnerability. A simple config setting
> change would turn this, rightfully, off by default.
>
> For more info please see https://cwe.mitre.org/data/definitions/611.html
>
> --
> Jim Manico
> @Manicode
> Secure Coding Education
> +1 (808) 652-3805
>
>

-- 
Regards,
Mukul Gandhi