JDK JAXP bugs

[Cantor, Scott]

Looks like a couple of CVEs in the latest JDK patch involve the XML parser in Java and involve denial of service attacks, more or less similar (in impact, not specifics) to the constant stream of issues with the C++ parser. The IdP is likely vulnerable to both.

I'm just mentioning it because of course people aren't getting these from Oracle's older JDKs without paying, so you really need to either get to Java 8, pay, or use OpenJDK. My opinions about OpenJDK notwithstanding, obviously "supported" is better than "dead".

-- Scott