You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-dev@ws.apache.org by Scott Nichol <sn...@scottnichol.com> on 2002/12/03 19:28:48 UTC

Fw: Security Alert - Xerces]

This is the "future" feature being set for Xerces.

Scott Nichol

----- Original Message -----
From: "Ted Leung" <tw...@sauria.com>
To: <se...@apache.org>
Cc: <xe...@xml.apache.org>; <ax...@xml.apache.org>
Sent: Tuesday, December 03, 2002 10:31 AM
Subject: Re: Security Alert - Xerces]


> The next version of Xerces-J will include a parser feature that will
> turn off DOCTYPE processing.  When activated, this feature will
> prevent the entity expansion that causes this vulnerability.  The Axis
> team will be able to use this feature to close the hole.
>
> The URI for the parser feature will be
> "http://apache.org/xml/features/disallow-doctype-decl"
>
> Ted
> ----- Original Message -----
> From: "Ben Laurie" <be...@algroup.co.uk>
> To: "Ted Leung" <tw...@sauria.com>
> Sent: Wednesday, November 27, 2002 3:37 AM
> Subject: [Fwd: Security Alert - Xerces]
>
>
> > Here ya go. Please keep security@ copied on any followups...
> >
> > Cheers,
> >
> > Ben.
> >
> > --
> > http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
> >
> > "There is no limit to what a man can do or how far he can go if he
> > doesn't mind who gets the credit." - Robert Woodruff
> >
>
>