hunterhacker
commented
1 year ago What do you propose be done?
Open dkumarkartik opened 1 year ago
hunterhacker
commented
1 year ago What do you propose be done?
rzo1
commented
1 year ago @hunterhacker I think it is mainly about updating xerces to 2.7.3, which shouldn't be that hard and doing a release in order to please scanners. Probably just a matter of available time :)
chadlwilson
commented
1 year ago Both Xalan and Xerces are optional dependencies for JDom2 so the version used is up to users - and indeed believe you can replace them with alternative implementations. There are patched versions of xerces (2.12.2) and jdom can't do anything about a vulnerability in xalan 2.7.2 that probably won't be patched/fixed as it's EOL.
I'd suggest people check that they are not pulling in optional dependencies due to issues with their build system, and/or remove them if not needed?
pjonsson
commented
9 months ago There is a Xalan 2.7.3 released in April this year that fixes the mentioned CVE according to https://xalan.apache.org/xalan-j/readme.html#done.
Hello Team Hunter hacker, we are currently using JDOM: 2.0.6.1 and facing vulnerability warning for CVE-2022-34169 and 4 for XCERS library. so can we get a fix for these vulnerabilities.