Re: CVE-2025-68280: Apache SIS: XML External Entity (XXE) vulnerability

[Sebastian Pipping <sebastian () pipping org>]

On 1/5/26 14:18, Martin Desruisseaux wrote:
> Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability 
> can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of 
> authorized protocols. For example:
>
> java -Djavax.xml.accessExternalDTD="" ...

The related commit seems to be 
https://github.com/apache/sis/commit/5bfa162bd56edb7d41d56a0c926592964d31d83b 
?

It would rock if Oracle would finally fix 3+ XML parser defaults
from vulnerable for years to secure for everyone using Java.