Fix availability for vulnerability CVE-2022-34169?

[Venkata Swamy Karukuri <ve...@broadcom.com>]

Dear XALAN java project dev community,

This is Venky from Broadcom Software Group writing about the recent
vulnerability <https://nvd.nist.gov/vuln/detail/CVE-2022-34169> reported
that might execute arbitrary Java bytecode while processing malicious XSLT
stylesheets.

I understand that this project is dormant and being retired. Many projects,
including OpenJDK, and XMLSec, uses XALAN binary.

Do you anticipate providing a fix for this vulnerable binary?
Or* if we provide the fix and test it, would you endorse it and make it
available on the project website?*

Kindly advise.

-Venky Karukuri

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

Re: Fix availability for vulnerability CVE-2022-34169?

[PJ Fanning <fa...@apache.org>]

I don't know if and when there will be a xalan release. Just to correct what you said about OpenJDK - it does not use xalan - it has its own code that was copied from xalan many years ago and is now maintained independently. xmlsec has an optional dependency on xalan and most features of xmlsec work without using xalan. This is described at https://santuario.apache.org/java150releasenotes.html


On 2022/08/26 09:01:56 Venkata Swamy Karukuri wrote:
> Dear XALAN java project dev community,
> 
> This is Venky from Broadcom Software Group writing about the recent
> vulnerability <https://nvd.nist.gov/vuln/detail/CVE-2022-34169> reported
> that might execute arbitrary Java bytecode while processing malicious XSLT
> stylesheets.
> 
> I understand that this project is dormant and being retired. Many projects,
> including OpenJDK, and XMLSec, uses XALAN binary.
> 
> Do you anticipate providing a fix for this vulnerable binary?
> Or* if we provide the fix and test it, would you endorse it and make it
> available on the project website?*
> 
> Kindly advise.
> 
> -Venky Karukuri
> 
> -- 
> This electronic communication and the information and any files transmitted 
> with it, or attached to it, are confidential and are intended solely for 
> the use of the individual or entity to whom it is addressed and may contain 
> information that is confidential, legally privileged, protected by privacy 
> laws, or otherwise restricted from disclosure to anyone else. If you are 
> not the intended recipient or the person responsible for delivering the 
> e-mail to the intended recipient, you are hereby notified that any use, 
> copying, distributing, dissemination, forwarding, printing, or copying of 
> this e-mail is strictly prohibited. If you received this e-mail in error, 
> please return the e-mail to the sender, delete it from your computer, and 
> destroy any printed copy of it.
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org