apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: intent to T&R apr-util 1.3.10 sometime Thursday
Date Wed, 29 Sep 2010 08:11:35 GMT
On Tue, Sep 28, 2010 at 12:04:59PM -0500, William A. Rowe Jr. wrote:
> On 9/28/2010 10:22 AM, Joe Orton wrote:
> > On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote:
> >> any concerns about the timing?
> >> any additional fixes people would like to see in that release?
> > 
> > I have been trying to backport security fixes for CVE-2009-3720 and 
> > CVE-2009-3560 to the bundled copy of expat but am getting nowhere.  The 
> > patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 
> > which is significantly different :(
> > 
> > These are both issues which can segfault the XML parser when parsing 
> > particular (invalid) documents; a pertinent issue e.g. for those running 
> > public DAV servers.
> > 
> > I'm not sure what to recommend here; we could either ship with known 
> > vulnerabilities, attempt to upgrade the bundled expat to a more recent 
> > version, or drop the bundled expat altogether for new releases.  None of 
> > these seem attractive.  (The latest upstream is expat 2.0.1, which 
> > doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x 
> > to boot)
> 
> What about bumping to 1.95.final+patches on APR-util 1.3, and moving to
> expat 2.0.1 for APR 2?

Bumping to a later 1.95.x+patches seems feasible actually, yeah, nice 
idea.  I'm going to try to get this done today; I'll probably break the 
Win32 build (at least!) so help might be required!

> My preference would be to unbundle in APR 2 anyways, and not get tied up
> in 3rd party security quirks, but it seems people still like to solve
> foreign project build issues at apr, httpd etc.

It's gone from the apr trunk already, yup :)

Regards, Joe

Mime
View raw message