You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xalan.apache.org by Venkata Swamy Karukuri <ve...@broadcom.com> on 2022/08/26 09:01:56 UTC
Fix availability for vulnerability CVE-2022-34169?
Dear XALAN java project dev community,
This is Venky from Broadcom Software Group writing about the recent
vulnerability <https://nvd.nist.gov/vuln/detail/CVE-2022-34169> reported
that might execute arbitrary Java bytecode while processing malicious XSLT
stylesheets.
I understand that this project is dormant and being retired. Many projects,
including OpenJDK, and XMLSec, uses XALAN binary.
Do you anticipate providing a fix for this vulnerable binary?
Or* if we provide the fix and test it, would you endorse it and make it
available on the project website?*
Kindly advise.
-Venky Karukuri
--
This electronic communication and the information and any files transmitted
with it, or attached to it, are confidential and are intended solely for
the use of the individual or entity to whom it is addressed and may contain
information that is confidential, legally privileged, protected by privacy
laws, or otherwise restricted from disclosure to anyone else. If you are
not the intended recipient or the person responsible for delivering the
e-mail to the intended recipient, you are hereby notified that any use,
copying, distributing, dissemination, forwarding, printing, or copying of
this e-mail is strictly prohibited. If you received this e-mail in error,
please return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
Re: Fix availability for vulnerability CVE-2022-34169?
Posted by PJ Fanning <fa...@apache.org>.
I don't know if and when there will be a xalan release. Just to correct what you said about OpenJDK - it does not use xalan - it has its own code that was copied from xalan many years ago and is now maintained independently. xmlsec has an optional dependency on xalan and most features of xmlsec work without using xalan. This is described at https://santuario.apache.org/java150releasenotes.html
On 2022/08/26 09:01:56 Venkata Swamy Karukuri wrote:
> Dear XALAN java project dev community,
>
> This is Venky from Broadcom Software Group writing about the recent
> vulnerability <https://nvd.nist.gov/vuln/detail/CVE-2022-34169> reported
> that might execute arbitrary Java bytecode while processing malicious XSLT
> stylesheets.
>
> I understand that this project is dormant and being retired. Many projects,
> including OpenJDK, and XMLSec, uses XALAN binary.
>
> Do you anticipate providing a fix for this vulnerable binary?
> Or* if we provide the fix and test it, would you endorse it and make it
> available on the project website?*
>
> Kindly advise.
>
> -Venky Karukuri
>
> --
> This electronic communication and the information and any files transmitted
> with it, or attached to it, are confidential and are intended solely for
> the use of the individual or entity to whom it is addressed and may contain
> information that is confidential, legally privileged, protected by privacy
> laws, or otherwise restricted from disclosure to anyone else. If you are
> not the intended recipient or the person responsible for delivering the
> e-mail to the intended recipient, you are hereby notified that any use,
> copying, distributing, dissemination, forwarding, printing, or copying of
> this e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer, and
> destroy any printed copy of it.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org