[security-dev] PicketLink 2.7 and XXE

Pedro Igor Silva psilva at redhat.com
Fri Aug 8 14:22:41 EDT 2014


Hey All,

   I've merged Peter's commit into upstream/master.

Thanks Benjamin.

----- Original Message -----
From: "Anil Saldhana" <asaldhan at redhat.com>
To: "Benjamin Bentmann" <bentmann at sonatype.com>
Cc: security-dev at lists.jboss.org
Sent: Friday, August 8, 2014 11:06:06 AM
Subject: Re: [security-dev] PicketLink 2.7 and XXE

Hi Benjamin - thanks a lot. We will ensure that the fix gets into trunk.

> On Aug 8, 2014, at 8:30 AM, Benjamin Bentmann <bentmann at sonatype.com> wrote:
> 
> Hi,
> 
> a couple days back [0], I noticed that PicketLink 2.7.0.Beta1 was 
> released but seems to miss changes to its DocumentUtil to disable entity 
> expansion as done for e.g. the 2.6.x branch.
> 
> I'm not sure whether my Github comment reached anybody so I figured I 
> make another attempt via this channel to ensure the potential issue 
> doesn't fall through the cracks.
> 
> Bye,
> 
> 
> Benjamin
> 
> 
> [0] 
> https://github.com/picketlink/picketlink/commit/e81bf14ea6dbbc1570b79f44f1179ae61a353040#commitcomment-7238470
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

_______________________________________________
security-dev mailing list
security-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev


More information about the security-dev mailing list