From: shihua guo <shihua.guo_at_oracle.com>
Date: Wed, 24 Jul 2013 09:36:24 +0800

Hi all,

We are fixing XML DoS security vulnerability bugs on Metro, including
Bug 16999151, Bug 16999177, Bug 16999195. Upgrading Woodstox from 4.1.2
to 4.2.0 on JAX-WS RI is required for fixing these XML DoS Bugs. Please
review the changes in pom.xml below (the base directory is
https://svn.java.net/svn/jax-ws~sources/branches/jaxws22/jaxws-ri
<https://svn.java.net/svn/jax-ws%7Esources/branches/jaxws22/jaxws-ri>):

Index: boms/bom-ext/pom.xml
===================================================================
--- boms/bom-ext/pom.xml (revision 14094)
+++ boms/bom-ext/pom.xml (working copy)
@@ -64,7 +64,8 @@
<eclipselink.version>2.4.0</eclipselink.version>
          <junit.version>3.8.1</junit.version>
          <mail.version>1.4.5</mail.version>
- <servlet-api.version>3.0.1</servlet-api.version>
+ <servlet-api.version>3.0.1</servlet-api.version>
+ <woodstox-core-asl.version>4.2.0</woodstox-core-asl.version>
      </properties>

      <dependencyManagement>
Index: boms/bom/pom.xml
===================================================================
--- boms/bom/pom.xml (revision 14094)
+++ boms/bom/pom.xml (working copy)
@@ -113,7 +113,6 @@
          <saaj-impl.version>1.3.21</saaj-impl.version>
<streambuffer.version>1.5.3</streambuffer.version>
          <stax2-api.version>3.1.1</stax2-api.version>
- <woodstox-core-asl.version>4.1.2</woodstox-core-asl.version>
<javax.annotation-api.version>1.2-b03</javax.annotation-api.version>
      </properties>

Thanks and best regards,
Eric