You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@xalan.apache.org by Dennis van der Laan <d....@rug.nl> on 2022/08/23 08:41:19 UTC

RE: Re: Retire Xalan to the Attic

Hi all,

Is there any progress in releasing a (final?) version of Xalan-J?
Or is there a non-official fork or a patch we can apply to fix
CVE-2022-34169?
Dennis


On 2022/07/25 10:38:47 Vladimir Sitnikov wrote:
> > Since, we earlier on this list (about two months ago)
>
> Was the CVE-2022-34169 known by that time?
> I expect you did not anticipate the CVE back then when you agreed on 1.8,
so that is the reason I suggest considering something below 1.8 for the
next release. 1.7 is fine.
>
> > I think, fixing the CVE that you're referring to, is to support Apache
JMeter
>
> Well, releasing Xalan with the fix would ease JMeter maintenance, and it
would help
> many more people who use xalan.jar.
> I do not suggest maintaining Xalan indefinitely, however, it would be
nice to fix the known CVE.
>
> Vladimir
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
> For additional commands, e-mail: dev-help@xalan.apache.org
>
>