The default Java XML Parser configuration is not secure against untrusted content and allows for XML external entity attacks. This update modifies Echo to include custom parser configuration options to disallow all external XML entities. Much thanks to the SEC Consult Vulnerability Lab for reporting this issue. Updating to the latest version is strongly recommended.
This bug could allow retrieval of files readable by the JVM. Some XML parsers may be unaffected by this bug, but in any case, it is strongly recommended to update to these latest versions of the Echo platform.
Client-side users of Echo3 are not affected by this issue.
This update additionally includes a small number of bugfixes relative to the 2.1.0/3.0.b5 releases. A 3.0.b6 version of Extras is also available (note however that older versions of the extras library are not affected by the security issue, provided the Echo version is 3.0.b6 or later).