From URL: "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. Mitigation: Apache XercesJ users, should migrate to version 2.12.2" Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=743111a72f39a1b24f87bd1b2fc32ef707b41407 commit 743111a72f39a1b24f87bd1b2fc32ef707b41407 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-02-02 17:30:03 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2022-02-03 12:00:09 +0000 dev-java/xerces: Bump to 2.12.2 Closes: https://bugs.gentoo.org/831155 Bug: https://bugs.gentoo.org/831979 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/xerces/Manifest | 1 + dev-java/xerces/metadata.xml | 11 ++++--- dev-java/xerces/xerces-2.12.2.ebuild | 57 ++++++++++++++++++++++++++++++++++++ 3 files changed, 65 insertions(+), 4 deletions(-)
thanks vaukai for the bump. let's give it a few days before we start the stabilization process as we don't have tests for this package.
No worries, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=610e8e15e38b5c213227f1dabdcddfdf60e66095 commit 610e8e15e38b5c213227f1dabdcddfdf60e66095 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-03-06 16:29:41 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-03-06 17:07:45 +0000 dev-java/xerces: Drop 2.12.0-r1 Closes: https://bugs.gentoo.org/831155 Bug: https://bugs.gentoo.org/831979 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/24424 Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-java/xerces/Manifest | 1 - dev-java/xerces/xerces-2.12.0-r1.ebuild | 55 --------------------------------- 2 files changed, 56 deletions(-)
Thanks! Minimal impact so no GLSA. All done!