Bug#888547: CVE-2017-1000190
Emmanuel Bourg
ebourg at apache.org
Thu Aug 23 14:55:22 BST 2018
On 23/08/2018 13:14, Markus Koschany wrote:
> Apparently upstream doesn't consider this "to be their problem". Since
> simple-xml has no reverse-dependencies and the current uploader is MIA,
> I think we should consider requesting the removal of simple-xml.
simple-xml is a dependency of carrotsearch-randomizedtesting.
The fix should be trivial, it's just a matter of disabling external
entities parsing on the underlying XML parser. And maybe we've already
fixed the XML parser used by default.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list