You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xerces.apache.org by Yves Geissbühler <yv...@incentage.com> on 2017/12/22 14:15:36 UTC
Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
Hi all,
my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency Check [1] having the vulnerability CVE-2012-0881.
After some investigation I found that CVE-2012-0881 has been indeed fixed and is scheduled to be released for Xerces-J 2.12.0 [2].
However, no specific release date is given [3].
Could you point me to a release schedule or do you know the release date?
Using libraries which contain vulnerabilities is not an option for my organisation. So, I'm hoping for a Xerces-J 2.11.0 release happening soonish.
Best regards,
Yves
[1] https://www.owasp.org/index.php/OWASP_Dependency_Check
[2] https://issues.apache.org/jira/browse/XERCESJ-1685
[3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
As has been the case for a long time, Xerces-J 2.12.0 needs volunteers to
actually make this release happen.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Gary Gregory <ga...@gmail.com> wrote on 12/22/2017 01:46:28 PM:
> Good question. Xerces has been rather... inactive :-(
>
> Gary
>
> On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler <
> yves.geissbuehler@incentage.com> wrote:
> Hi all,
> my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency
> Check [1] having the vulnerability CVE-2012-0881.
>
> After some investigation I found that CVE-2012-0881 has been indeed
> fixed and is scheduled to be released for Xerces-J 2.12.0 [2].
>
> However, no specific release date is given [3].
>
> Could you point me to a release schedule or do you know the release
date?
>
> Using libraries which contain vulnerabilities is not an option for
> my organisation. So, I'm hoping for a Xerces-J 2.11.0 release
> happening soonish.
>
> Best regards,
> Yves
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> [2] https://issues.apache.org/jira/browse/XERCESJ-1685
> [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
Posted by Gary Gregory <ga...@gmail.com>.
Good question. Xerces has been rather... inactive :-(
Gary
On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler <
yves.geissbuehler@incentage.com> wrote:
> Hi all,
> my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency Check
> [1] having the vulnerability CVE-2012-0881.
>
> After some investigation I found that CVE-2012-0881 has been indeed fixed
> and is scheduled to be released for Xerces-J 2.12.0 [2].
>
> However, no specific release date is given [3].
>
> Could you point me to a release schedule or do you know the release date?
>
> Using libraries which contain vulnerabilities is not an option for my
> organisation. So, I'm hoping for a Xerces-J 2.11.0 release happening
> soonish.
>
> Best regards,
> Yves
>
> [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> [2] https://issues.apache.org/jira/browse/XERCESJ-1685
> [3] https://issues.apache.org/jira/projects/XERCESJ/versions/12336542
>