[Shib-Users] Xerces 3.1.0 NOT supported
Scott Cantor
cantor.2 at osu.edu
Mon Feb 15 13:50:15 UTC 2010
Kristof BAJNOK wrote on 2010-02-15:
> Scott, could you please elaborate, what kind of problems does this bug
> cause? If you get negative response from the Xerces developers, we still
> can depend on 2.8 (it's still in testing and sid), although this might
> be suboptimal.
I described the bug here:
http://marc.info/?l=xerces-c-dev&m=126620789715246&w=2
I haven't filed it yet because I found it last night and wanted to sleep on
it, and look more at it today.
I don't know how much it will affect the application, but I think any
scenario involving decryption of XML that happens to include a default
namespace declaration will fail. A Shibboleth IdP is unlikely to trigger
that, but I don't control what other implementations send.
The result would be a caught exception and a controlled failure, but there
are some other code paths involving importNode that I don't think are
protected (which I'm going to wrap now).
Any response I got from the developers would be irrelevant until there's a
3.1.1 or 3.2 issued, and I don't generally count on them being fast with
fixes.
I'm pretty sure I know how to fix it, but it's not my code and there could
be side effects I'm not aware of.
-- Scott
More information about the Pkg-shibboleth-devel
mailing list