apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: intent to T&R apr-util 1.3.10 sometime Thursday
Date Tue, 28 Sep 2010 15:22:04 GMT
On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote:
> any concerns about the timing?
> any additional fixes people would like to see in that release?

I have been trying to backport security fixes for CVE-2009-3720 and 
CVE-2009-3560 to the bundled copy of expat but am getting nowhere.  The 
patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 
which is significantly different :(

These are both issues which can segfault the XML parser when parsing 
particular (invalid) documents; a pertinent issue e.g. for those running 
public DAV servers.

I'm not sure what to recommend here; we could either ship with known 
vulnerabilities, attempt to upgrade the bundled expat to a more recent 
version, or drop the bundled expat altogether for new releases.  None of 
these seem attractive.  (The latest upstream is expat 2.0.1, which 
doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x 
to boot)

Regards, Joe

View raw message