Issue 61 in daisydiff: Xerces Impl included in daisydiff.jar has security vulnerabilities
15 views
Skip to first unread message
codesite...@google.com
Apr 29, 2015, 10:01:42 AM4/29/15
to dais...@googlegroups.com
Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 61 by madhukri...@gmail.com: Xerces Impl included in
daisydiff.jar has security vulnerabilities
https://code.google.com/p/daisydiff/issues/detail?id=61
daisydiff.jar packages xercesImpl-2.8.0.jar inside.
This has security vulnerabilities:
1) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
2) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
3) http://osvdb.org/56984
What steps will reproduce the problem?
1. CLM/Code scanners are reporting these vulnerabilities with currrent
version of daisydiff.jar
2.
3.
What is the expected output? What do you see instead?
Move to latest xerces (2.11)
What version of the product are you using? On what operating system?
latest daisydiff.jar on both windows and CentOS environments
Please provide any additional information below.
I made build.xml changes to package xerces 2.11 and ran tests.
xerces 2.11 now has additional xml-api.jar which has standard w3cdom and
javax classes.
Attachments:
build.xml 2.8 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 61 by madhukri...@gmail.com: Xerces Impl included in
daisydiff.jar has security vulnerabilities
https://code.google.com/p/daisydiff/issues/detail?id=61
daisydiff.jar packages xercesImpl-2.8.0.jar inside.
This has security vulnerabilities:
1) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
2) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
3) http://osvdb.org/56984
What steps will reproduce the problem?
1. CLM/Code scanners are reporting these vulnerabilities with currrent
version of daisydiff.jar
2.
3.
What is the expected output? What do you see instead?
Move to latest xerces (2.11)
What version of the product are you using? On what operating system?
latest daisydiff.jar on both windows and CentOS environments
Please provide any additional information below.
I made build.xml changes to package xerces 2.11 and ran tests.
xerces 2.11 now has additional xml-api.jar which has standard w3cdom and
javax classes.
Attachments:
build.xml 2.8 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Reply all
Reply to author
Forward
0 new messages