This post originated from an RSS feed registered with Java Buzz by Nick Lothian. Original Post: ROME 0.9 released Feed Title: BadMagicNumber Feed URL: http://feeds.feedburner.com/Badmagicnumber Feed Description: Java, Development and Me Latest Java Buzz Posts Latest Java Buzz Posts by Nick Lothian Latest Posts From BadMagicNumber

Dave has done some great work getting the ROME 0.9 release out. There's also a new release of the ROME Fetcher.

I did an interesting fix for an ROME XML based security vulnerability in this release. I plan to blog about it in some depth later, but for the moment it's fair to say that the problem is somewhat obscure, but you probably should upgrade if you care about security. I also submitted patches to fix the same problem in Jakarta FeedParser, and Kevin's Tailrank version of FeedParser. A quick code inspection indicated that Informa is probably vulnerable, too, but I haven't got around to doing a patch for that.

Nelson (who pointed this out to us) has said about 3/4 of the XML applications he's encounted are vulnerable to this problem. After the lengths I had to go to fix it I'm not surprised - insecure by design is how I'd describe the XML APIs.