You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-users@xerces.apache.org by Yves Geissbühler <yv...@incentage.com> on 2017/12/22 14:15:36 UTC

Any Xerces-J 2.12.0 release date to address CVE-2012-0881?

Hi all,
my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency Check [1] having the vulnerability CVE-2012-0881.


After some investigation I found that CVE-2012-0881 has been indeed fixed and is scheduled to be released for Xerces-J 2.12.0 [2].


However, no specific release date is given [3].


Could you point me to a release schedule or do you know the release date?


Using libraries which contain vulnerabilities is not an option for my organisation. So, I'm hoping for a Xerces-J 2.11.0 release happening soonish.


Best regards,
Yves


[1] https://www.owasp.org/index.php/OWASP_Dependency_Check
[2] https://issues.apache.org/jira/browse/XERCESJ-1685
[3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542

Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?

Posted by Michael Glavassevich <mr...@ca.ibm.com>.

As has been the case for a long time, Xerces-J 2.12.0 needs volunteers to 
actually make this release happen.

Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Gary Gregory <ga...@gmail.com> wrote on 12/22/2017 01:46:28 PM:
 
> Good question. Xerces has been rather... inactive :-(
> 
> Gary
> 
> On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler <
> yves.geissbuehler@incentage.com> wrote:
> Hi all,
> my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency 
> Check [1] having the vulnerability CVE-2012-0881.
> 
> After some investigation I found that CVE-2012-0881 has been indeed 
> fixed and is scheduled to be released for Xerces-J 2.12.0 [2].
> 
> However, no specific release date is given [3].
> 
> Could you point me to a release schedule or do you know the release 
date?
> 
> Using libraries which contain vulnerabilities is not an option for 
> my organisation. So, I'm hoping for a Xerces-J 2.11.0 release 
> happening soonish.
> 
> Best regards,
> Yves
> 
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> [2] https://issues.apache.org/jira/browse/XERCESJ-1685
> [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542

Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?

Posted by Gary Gregory <ga...@gmail.com>.

Good question. Xerces has been rather... inactive :-(

Gary

On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler <
yves.geissbuehler@incentage.com> wrote:

> Hi all,
> my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency Check
> [1] having the vulnerability CVE-2012-0881.
>
> After some investigation I found that CVE-2012-0881 has been indeed fixed
> and is scheduled to be released for Xerces-J 2.12.0 [2].
>
> However, no specific release date is given [3].
>
> Could you point me to a release schedule or do you know the release date?
>
> Using libraries which contain vulnerabilities is not an option for my
> organisation. So, I'm hoping for a Xerces-J 2.11.0 release happening
> soonish.
>
> Best regards,
> Yves
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> [2] https://issues.apache.org/jira/browse/XERCESJ-1685
> [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542
>