[EXT] Re: [xsde-users] Codesynthesis XSDE security
vulnerabilities database
Boris Kolpackov
boris at codesynthesis.com
Thu Feb 22 04:05:57 EST 2024
Yegnaram, Shrikant <SYegnaram at cls-bank.com> writes:
> Can you also share the version of expat that CXSDE uses.
It is version 2.1 with a number of bug fixes backported from
later versions. The "upstream" (with regards to libxsde) for
this works lives here:
https://github.com/boris-kolpackov/libexpat/tree/2.1
To preempts the question why not upgrade to the latest expat, the
reason is that later versions started sacrificing portability in
the name of security (like depending on platform-specific
date/time functions for hash seeds) which we cannot afford in
XSD/e.
> Can you also notify here if and when you happen to publish
> any vulnerabilites to mitre.org.
Yes, will do.
More information about the xsde-users
mailing list