1. I'm responsible for a number of XML applications, most of them open source.
2. I'm responsible in some way or another to two of the developers mentioned in your article: namely Sun and Apache.
So I need to know what you're talking about, right? How does an advisory about Sun or Apache reach me through El Reg without having come on a security@ list?
OK, these are both big orgs, with lots of different XML applications. Must be none of those I work on or with are affected, right? But your article says "most" opensource XML apps (echos of Eggwina there), and the C libs are the worst affected. Yep, I use mostly C libs, and they're open source.
So I follow your link. Right, neither of the most popular C libs (libxml2 and expat) are listed as affected, unless using expat with python (tick, nope). Good, that's all-but-two of my apps in the clear, and one of the two is documented as long-since-abandoned-don't-use. What about the final app, which uses Xerces-C++?
The report you link to is still way too vague to be useful. And just to cap it, the two CVE links at the end both lead to Not Found errors from NIST.
Useless FUD? Or what?