Discussion:
Xerces-C 3.1.4 released
Cantor, Scott
2016-06-29 14:44:23 UTC
Permalink
A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069

Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
Gareth Reakes
2016-06-29 14:50:28 UTC
Permalink
Yeah! Thanks Scott.

G
Post by Cantor, Scott
A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.
-- Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
Vitaly Prapirny
2016-06-29 14:54:36 UTC
Permalink
Thanks Scott!

Good luck!
Vitaly
Post by Cantor, Scott
A patch release of the Xerces-C XML parser is now available and is propagating to the mirrors. It includes a small number of important bug fixes, including a fix for CVE-2016-4463.
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
Of special note, applications that don't make use of DTDs should strongly consider setting the XERCES_ DISABLE_DTD environment variable to "1" to insulate themselves from the likelihood of future vulnerabilities in that code. When I have a free moment I will make that a parser feature in the trunk since it requires an ABI change.
-- Scott
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
r***@codelibre.net
2016-06-30 10:15:46 UTC
Permalink
Post by Cantor, Scott
A patch release of the Xerces-C XML parser is now available and is
propagating to the mirrors. It includes a small number of important
bug fixes, including a fix for CVE-2016-4463.
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10510&version=12336069
Of special note, applications that don't make use of DTDs should
strongly consider setting the XERCES_ DISABLE_DTD environment variable
to "1" to insulate themselves from the likelihood of future
vulnerabilities in that code. When I have a free moment I will make
that a parser feature in the trunk since it requires an ABI change.
FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
Would it be possible to add them?


Thanks,
Roger


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
Cantor, Scott
2016-06-30 13:41:42 UTC
Permalink
Post by r***@codelibre.net
FYI, the downloads on http://apache.org/dist/xerces/c/3/sources/
are missing the signatures and checksums for xerces-c-3.1.4.tar.xz.
Would it be possible to add them?
Forgot it existed. I'll try and get to it when I can.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org
r***@codelibre.net
2016-06-30 17:21:45 UTC
Permalink
Post by Cantor, Scott
A patch release of the Xerces-C XML parser is now available and is
propagating to the mirrors. It includes a small number of important
bug fixes, including a fix for CVE-2016-4463.
Attached is a diff against 3.1.4 to enable building with VC12 and VC14
with the ICU configurations. Note that this is the same patch for both
VC versions, and that the bug is also present in the prior VC version
project files as well, and can be applied to them as well. The ICU DLL
to use is either missing, or using the incorrect debug or release
variant. This ensures that the correct debug or release variant is used
for all of the four possible variants.


Regards,
Roger
Cantor, Scott
2016-06-30 17:34:08 UTC
Permalink
Post by r***@codelibre.net
Attached is a diff against 3.1.4 to enable building with VC12 and VC14
with the ICU configurations.
I assume that's already in Jira. If not, it's not going to ever get remembered and applied.

-- Scott


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-***@xerces.apache.org
For additional commands, e-mail: c-dev-***@xerces.apache.org

Loading...