oss-security - Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <0852ef98-a57a-4938-8feb-3d40117f3d53@pipping.org>
Date: Mon, 5 Jan 2026 18:48:48 +0100
From: Sebastian Pipping <sebastian@...ping.org>
To: oss-security@...ts.openwall.com
Cc: Hanno Böck <hanno@...eck.de>,
 Alan Coopersmith <alan.coopersmith@...cle.com>
Subject: Re: CVE-2025-68280: Apache SIS: XML External Entity
 (XXE) vulnerability

On 1/5/26 14:18, Martin Desruisseaux wrote:
> Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example:
> 
> java -Djavax.xml.accessExternalDTD="" ...

The related commit seems to be 
https://github.com/apache/sis/commit/5bfa162bd56edb7d41d56a0c926592964d31d83b 
?

It would rock if Oracle would finally fix 3+ XML parser defaults
from vulnerable for years to secure for everyone using Java.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.