update xercesImpl to 2.12.1 (from 2.12.0)

[sseide]

Description

within the current xercesImpl version 2.12.0 a vulnerabilities was found. It is fixed with the update to 2.12.1.

• CVE-2020-14338 (Improper Input Validation)

Motivation and Context

Fix potential security problems

How Has This Been Tested?

run gradlew check, first run failed with one library (xstream) having changed as expected, rerun with "-PupdateExpectedJars" switch and "-PchecksumUpdate".
The following executions of gradlew check and gradlew test succeeded now.

The update of the checksum was needed because the signer of the xercesImpl release has changed and a new gpg key was used to sign the maven release? (see https://issues.apache.org/jira/browse/XERCESJ-1724)

Screenshots (if appropriate):

none

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• My code follows the code style of this project.
• I have updated the documentation accordingly.

[FSchumacher]

I wonder, if it would be better to use the sha512 sum in this case, as the uploaders pgp key can't be found anywhere.

[vlsi]

AFAIK Xerces is ASF project, so the key should be located at http://xerces.apache.org/ somewhere

[vlsi]

Ah, the library was published by @apupier somehow manually (see https://issues.apache.org/jira/browse/XERCESJ-1724)
It is sad Xerces PMC does not publish jars to repository.apache.org :-/

On the other hand, the file at Central is the same as the one in the official release:

$ openssl dgst -sha512 Xerces-J-bin.2.12.1.zip
SHA512(Xerces-J-bin.2.12.1.zip)= 318222b084e2882b16d230a70d0811882d2e46b0e63e8262098e952d25c9caebf32b40c0d0a1ed68a787f6dd017b5a4fa805c00889429115462dfb2e268a8b28

# jar from the official release
$ openssl dgst -sha512 xercesImpl.jar
SHA512(xercesImpl.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957

# jar from OSSRH
$ openssl dgst -sha512 xercesImpl-2.12.1.jar
SHA512(xercesImpl-2.12.1.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957

So I agree we should use SHA512, and we should use SHA512 for all other xerces jars.

[FSchumacher]

Thanks for the PR. A version using the SHA512 checksums has been committed to trunk. It would be great, if you could test next build from trunk or nightly.