You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-users@xerces.apache.org by "Cantor, Scott" <ca...@osu.edu> on 2016/06/29 14:44:23 UTC

Xerces-C 3.1.4 released

A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069

Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.

-- Scott

RE: Xerces-C 3.1.4 released

Posted by "Cantor, Scott" <ca...@osu.edu>.

> FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
> are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
> Would it be possible to add them?

Forgot it existed. I'll try and get to it when I can.

-- Scott

RE: Xerces-C 3.1.4 released

Posted by "Cantor, Scott" <ca...@osu.edu>.

> FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
> are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
> Would it be possible to add them?

Forgot it existed. I'll try and get to it when I can.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Xerces-C 3.1.4 released

Posted by rl...@codelibre.net.

On 2016-06-29 14:44, Cantor, Scott wrote:
> A patch release of the Xerces-C XML parser is now available and is
> propagating to the mirrors. It includes a small number of important
> bug fixes, including a fix for CVE-2016-4463.
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
> 
> Of special note, applications that don't make use of DTDs should
> strongly consider setting the XERCES_ DISABLE_DTD environment variable
> to "1" to insulate themselves from the likelihood of future
> vulnerabilities in that code. When I have a free moment I will make
> that a parser feature in the trunk since it requires an ABI change.

FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
Would it be possible to add them?


Thanks,
Roger


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Xerces-C 3.1.4 released

Posted by Gareth Reakes <ga...@reakes.com>.


Yeah! Thanks Scott.

G

> On 29 Jun 2016, at 15:44, Cantor, Scott <ca...@osu.edu> wrote:
> 
> A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
> 
> Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.
> 
> -- Scott
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

RE: [patch] Allow building with ICU using VC12 and VC14

Posted by "Cantor, Scott" <ca...@osu.edu>.

> Attached is a diff against 3.1.4 to enable building with VC12 and VC14
> with the ICU configurations.

I assume that's already in Jira. If not, it's not going to ever get remembered and applied.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[patch] Allow building with ICU using VC12 and VC14

Posted by rl...@codelibre.net.

On 2016-06-29 14:44, Cantor, Scott wrote:
> A patch release of the Xerces-C XML parser is now available and is
> propagating to the mirrors. It includes a small number of important
> bug fixes, including a fix for CVE-2016-4463.

Attached is a diff against 3.1.4 to enable building with VC12 and VC14 
with the ICU configurations.  Note that this is the same patch for both 
VC versions, and that the bug is also present in the prior VC version 
project files as well, and can be applied to them as well.  The ICU DLL 
to use is either missing, or using the incorrect debug or release 
variant.  This ensures that the correct debug or release variant is used 
for all of the four possible variants.

Regards,
Roger

Re: Xerces-C 3.1.4 released

Posted by Gareth Reakes <ga...@reakes.com>.


Yeah! Thanks Scott.

G

> On 29 Jun 2016, at 15:44, Cantor, Scott <ca...@osu.edu> wrote:
> 
> A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
> 
> Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.
> 
> -- Scott
>

Re: Xerces-C 3.1.4 released

Posted by Vitaly Prapirny <ma...@mebius.net>.

Thanks Scott!

Good luck!
   Vitaly

Cantor, Scott wrote:
> A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
>
> Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.
>
> -- Scott
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
> For additional commands, e-mail: c-dev-help@xerces.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

Re: Xerces-C 3.1.4 released

Posted by rl...@codelibre.net.

On 2016-06-29 14:44, Cantor, Scott wrote:
> A patch release of the Xerces-C XML parser is now available and is
> propagating to the mirrors. It includes a small number of important
> bug fixes, including a fix for CVE-2016-4463.
> 
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
> 
> Of special note, applications that don't make use of DTDs should
> strongly consider setting the XERCES_ DISABLE_DTD environment variable
> to "1" to insulate themselves from the likelihood of future
> vulnerabilities in that code. When I have a free moment I will make
> that a parser feature in the trunk since it requires an ABI change.

FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
Would it be possible to add them?


Thanks,
Roger

RE: Xerces-C 3.1.4 released

Posted by DK <dk...@gmail.com>.

I use the Static Xerces libraries (I build the VC14 XercesLib project only -
Static Debug & Static Release configurations), do I:
1. Add the XERCES_ DISABLE_DTD=1 as a pre-processor variable to the
XercesLib builds, or
2. Add it as a pre-processor variable to my project that includes these
libraries, or
3. Have it defined when running the application that includes the static
library?

I must admit that if the answer is "3", it won't be possible as I can't
force the many users of our Open Source Windows application to set
environmental variables.  In this case, I would prefer it to be a XercesLib
project pre-processor variable so that the static libraries that are
generated are protected in that application without any user intervention.

Many thanks.


-----Original Message-----
From: Cantor, Scott [mailto:cantor.2@osu.edu] 
Sent: 29 June 2016 15:44
To: c-users@xerces.apache.org; c-dev@xerces.apache.org
Subject: Xerces-C 3.1.4 released

A patch release of the Xerces-C XML parser is now available and is
propagating to the mirrors. It includes a small number of important bug
fixes, including a fix for CVE-2016-4463.

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&versi
on=12336069

Of special note, applications that don't make use of DTDs should strongly
consider setting the XERCES_ DISABLE_DTD environment variable to "1" to
insulate themselves from the likelihood of future vulnerabilities in that
code. When I have a free moment I will make that a parser feature in the
trunk since it requires an ABI change.

-- Scott