From SYegnaram at cls-bank.com Thu Dec 12 14:52:21 2024 From: SYegnaram at cls-bank.com (Yegnaram, Shrikant) Date: Fri Dec 13 00:23:15 2024 Subject: [EXT] Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Hello Boris Greetings. Starting this thread again, since we have a follow up query There are bunch of vulnerabilities listed on nvd website for 2.1 expat release. https://nvd.nist.gov/vuln/search/results?isCpeNameSearch+AD0-true+ACY-query+AD0-cpe+ACU-3A2.3+ACU-3Aa+ACU-3Alibexpat+AF8-project+ACU-3Alibexpat+ACU-3A2.1.0+ACU-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJQ-3A+ACoAJg-orderBy+AD0-publishDate+ACY-orderDir+AD0-desc+ACY-startIndex+AD0-0 Specifically looking if CVE-2016-0718 for expat was fixed in Codesynthesis XSD/e 3.2.0 release? If not, what is the plan for a new XSD/e release with the fixes for libexpat vulnerabilities. Thanks, Shrikant Yegnaram Confidential Information -----Original Message----- From: Boris Kolpackov +ADw-boris+AEA-codesynthesis.com+AD4 Sent: Thursday, February 22, 2024 4:06 AM To: Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 Cc: xsde-users+AEA-codesynthesis.com Subject: +AFs-EXT+AF0 Re: Re: +AFs-xsde-users+AF0 Codesynthesis XSDE security vulnerabilities database +ADw-div align+AD0-left+AD4APA-table class+AD0-MsoNormalTable border+AD0-0 cellspacing+AD0-0 cellpadding+AD0-0 align+AD0-left+AD4APA-tr+AD4APA-td width+AD0-100+ACU style+AD0'width:100+ACUAOw-border-top:solid +ACM-E32719 3.0pt+ADs-border-left:none+ADs-border-bottom:solid +ACM-E32719 3.0pt+ADs-border-right:none+ADs-padding:0in 0in 0in 0in+ADs-background:+ACM-E1E73C+ADs'+AD4APA-p class+AD0-MsoNormal align+AD0-left style+AD0'text-align:left'+AD4APA-b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-CF4520'+AD4-Be careful with this message: +ADw-/span+AD4APA-/b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-C00000'+AD4APA-/span+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-002855'+AD4-it has been sent from an +ADw-b+AD4-external+ADw-/b+AD4 email address. +ADw-br+AD4-Do not open attachments or click links from unknown senders or unexpected email.+ADw-/span+AD4APA-/p+AD4APA-/td+AD4APA-/tr+AD4APA-/table+AD4APA-/div+AD4 Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 writes: +AD4 Can you also share the version of expat that CXSDE uses. It is version 2.1 with a number of bug fixes backported from later versions. The +ACI-upstream+ACI (with regards to libxsde) for this works lives here: https://github.com/boris-kolpackov/libexpat/tree/2.1 To preempts the question why not upgrade to the latest expat, the reason is that later versions started sacrificing portability in the name of security (like depending on platform-specific date/time functions for hash seeds) which we cannot afford in XSD/e. +AD4 Can you also notify here if and when you happen to publish any +AD4 vulnerabilites to mitre.org. Yes, will do. +ACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAq WARNING: This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of this e-mail transmission. If verification is required, please request a hard copy version. CLS is committed to protecting and safeguarding your personal data. Our privacy notice (https://www.cls-group.com/privacy) provides you with information about how we process and protect your personal data. We aim to ensure direct marketing is reasonable, proportionate and of relevance to you. However, if you no longer want to receive direct marketing from us please email dpo+AEA-cls-services.com From boris at codesynthesis.com Tue Dec 17 02:52:02 2024 From: boris at codesynthesis.com (Boris Kolpackov) Date: Tue Dec 17 02:50:58 2024 Subject: [EXT] Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Yegnaram, Shrikant writes: > There are bunch of vulnerabilities listed on nvd website for 2.1 expat > release. Specifically looking if CVE-2016-0718 for expat was fixed in > Codesynthesis XSD/e 3.2.0 release? No, XSD/e was released before that vulnerability was discovered. However, you can patch it to fix this (and all other known to this point) CVEs by applying this patch: https://codesynthesis.com/~boris/tmp/xsde/xsde-genx-expat-patch-8.zip Specifically, replace the files in your XSD/e 3.2.0 distribution with the files in this archive, rebuild libxsde, and rebuild your application. > If not, what is the plan for a new XSD/e release with the fixes for > libexpat vulnerabilities. We plan to release 3.3.0 with these fixes in the new year. From SYegnaram at cls-bank.com Tue Dec 17 11:09:00 2024 From: SYegnaram at cls-bank.com (Yegnaram, Shrikant) Date: Wed Dec 18 00:56:12 2024 Subject: [EXT] Re: Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Thank you Boris. We will wait for the new 3.3.0 distribution. Any tentative release date for this distribution ? It will help us plan our application releases. Thanks, Shrikant Yegnaram Confidential Information -----Original Message----- From: Boris Kolpackov +ADw-boris+AEA-codesynthesis.com+AD4 Sent: Tuesday, December 17, 2024 2:52 AM To: Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 Cc: xsde-users+AEA-codesynthesis.com Subject: +AFs-EXT+AF0 Re: Re: Re: +AFs-xsde-users+AF0 Codesynthesis XSDE security vulnerabilities database +ADw-div align+AD0-left+AD4APA-table class+AD0-MsoNormalTable border+AD0-0 cellspacing+AD0-0 cellpadding+AD0-0 align+AD0-left+AD4APA-tr+AD4APA-td width+AD0-100+ACU style+AD0'width:100+ACUAOw-border-top:solid +ACM-E32719 3.0pt+ADs-border-left:none+ADs-border-bottom:solid +ACM-E32719 3.0pt+ADs-border-right:none+ADs-padding:0in 0in 0in 0in+ADs-background:+ACM-E1E73C+ADs'+AD4APA-p class+AD0-MsoNormal align+AD0-left style+AD0'text-align:left'+AD4APA-b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-CF4520'+AD4-Be careful with this message: +ADw-/span+AD4APA-/b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-C00000'+AD4APA-/span+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-002855'+AD4-it has been sent from an +ADw-b+AD4-external+ADw-/b+AD4 email address. +ADw-br+AD4-Do not open attachments or click links from unknown senders or unexpected email.+ADw-/span+AD4APA-/p+AD4APA-/td+AD4APA-/tr+AD4APA-/table+AD4APA-/div+AD4 Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 writes: +AD4 There are bunch of vulnerabilities listed on nvd website for 2.1 expat +AD4 release. Specifically looking if CVE-2016-0718 for expat was fixed in +AD4 Codesynthesis XSD/e 3.2.0 release? No, XSD/e was released before that vulnerability was discovered. However, you can patch it to fix this (and all other known to this point) CVEs by applying this patch: https://codesynthesis.com/+AH4-boris/tmp/xsde/xsde-genx-expat-patch-8.zip Specifically, replace the files in your XSD/e 3.2.0 distribution with the files in this archive, rebuild libxsde, and rebuild your application. +AD4 If not, what is the plan for a new XSD/e release with the fixes for +AD4 libexpat vulnerabilities. We plan to release 3.3.0 with these fixes in the new year. +ACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAq WARNING: This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of this e-mail transmission. If verification is required, please request a hard copy version. CLS is committed to protecting and safeguarding your personal data. Our privacy notice (https://www.cls-group.com/privacy) provides you with information about how we process and protect your personal data. We aim to ensure direct marketing is reasonable, proportionate and of relevance to you. However, if you no longer want to receive direct marketing from us please email dpo+AEA-cls-services.com From boris at codesynthesis.com Wed Dec 18 01:05:45 2024 From: boris at codesynthesis.com (Boris Kolpackov) Date: Wed Dec 18 01:04:40 2024 Subject: [EXT] Re: Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Yegnaram, Shrikant writes: > We will wait for the new 3.3.0 distribution. Any tentative release > date for this distribution? We don't have a firm date, but we currently aim for first half of 2026. From SYegnaram at cls-bank.com Wed Dec 18 09:17:28 2024 From: SYegnaram at cls-bank.com (Yegnaram, Shrikant) Date: Fri Dec 20 02:51:45 2024 Subject: [EXT] Re: Re: Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Okay sure, just reconfirming, not a typo, that 3.3.0 distribution is going to come out in the first half of 2026? You said new year so I assumed it's going to be in 2025. Thanks, Shrikant Yegnaram Confidential Information -----Original Message----- From: Boris Kolpackov +ADw-boris+AEA-codesynthesis.com+AD4 Sent: Wednesday, December 18, 2024 1:06 AM To: Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 Cc: xsde-users+AEA-codesynthesis.com Subject: +AFs-EXT+AF0 Re: Re: Re: Re: +AFs-xsde-users+AF0 Codesynthesis XSDE security vulnerabilities database +ADw-div align+AD0-left+AD4APA-table class+AD0-MsoNormalTable border+AD0-0 cellspacing+AD0-0 cellpadding+AD0-0 align+AD0-left+AD4APA-tr+AD4APA-td width+AD0-100+ACU style+AD0'width:100+ACUAOw-border-top:solid +ACM-E32719 3.0pt+ADs-border-left:none+ADs-border-bottom:solid +ACM-E32719 3.0pt+ADs-border-right:none+ADs-padding:0in 0in 0in 0in+ADs-background:+ACM-E1E73C+ADs'+AD4APA-p class+AD0-MsoNormal align+AD0-left style+AD0'text-align:left'+AD4APA-b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-CF4520'+AD4-Be careful with this message: +ADw-/span+AD4APA-/b+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-C00000'+AD4APA-/span+AD4APA-span style+AD0'font-family:+ACI-Arial+ACI,sans-serif+ADs-color:+ACM-002855'+AD4-it has been sent from an +ADw-b+AD4-external+ADw-/b+AD4 email address. +ADw-br+AD4-Do not open attachments or click links from unknown senders or unexpected email.+ADw-/span+AD4APA-/p+AD4APA-/td+AD4APA-/tr+AD4APA-/table+AD4APA-/div+AD4 Yegnaram, Shrikant +ADw-SYegnaram+AEA-cls-bank.com+AD4 writes: +AD4 We will wait for the new 3.3.0 distribution. Any tentative release +AD4 date for this distribution? We don't have a firm date, but we currently aim for first half of 2026. +ACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAqACoAKgAq WARNING: This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of this e-mail transmission. If verification is required, please request a hard copy version. CLS is committed to protecting and safeguarding your personal data. Our privacy notice (https://www.cls-group.com/privacy) provides you with information about how we process and protect your personal data. We aim to ensure direct marketing is reasonable, proportionate and of relevance to you. However, if you no longer want to receive direct marketing from us please email dpo+AEA-cls-services.com From boris at codesynthesis.com Fri Dec 20 02:53:27 2024 From: boris at codesynthesis.com (Boris Kolpackov) Date: Fri Dec 20 02:53:40 2024 Subject: [EXT] Re: Re: Re: Re: [xsde-users] Codesynthesis XSDE security vulnerabilities database In-Reply-To: References: Message-ID: Yegnaram, Shrikant writes: > Okay sure, just reconfirming, not a typo, that 3.3.0 distribution is going > to come out in the first half of 2026? You said new year so I assumed it's > going to be in 2025. Yes, sorry, it was a typo. We aim for the first half of 2025.