[security-dev] PicketLink 2.7 and XXE

Benjamin Bentmann bentmann at sonatype.com
Fri Aug 8 09:30:41 EDT 2014


Hi,

a couple days back [0], I noticed that PicketLink 2.7.0.Beta1 was 
released but seems to miss changes to its DocumentUtil to disable entity 
expansion as done for e.g. the 2.6.x branch.

I'm not sure whether my Github comment reached anybody so I figured I 
make another attempt via this channel to ensure the potential issue 
doesn't fall through the cracks.

Bye,


Benjamin


[0] 
https://github.com/picketlink/picketlink/commit/e81bf14ea6dbbc1570b79f44f1179ae61a353040#commitcomment-7238470


More information about the security-dev mailing list