apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wmr...@gmail.com>
Subject Re: intent to T&R apr-util 1.3.10 sometime Thursday
Date Tue, 28 Sep 2010 17:04:59 GMT
On 9/28/2010 10:22 AM, Joe Orton wrote:
> On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote:
>> any concerns about the timing?
>> any additional fixes people would like to see in that release?
> 
> I have been trying to backport security fixes for CVE-2009-3720 and 
> CVE-2009-3560 to the bundled copy of expat but am getting nowhere.  The 
> patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 
> which is significantly different :(
> 
> These are both issues which can segfault the XML parser when parsing 
> particular (invalid) documents; a pertinent issue e.g. for those running 
> public DAV servers.
> 
> I'm not sure what to recommend here; we could either ship with known 
> vulnerabilities, attempt to upgrade the bundled expat to a more recent 
> version, or drop the bundled expat altogether for new releases.  None of 
> these seem attractive.  (The latest upstream is expat 2.0.1, which 
> doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x 
> to boot)

What about bumping to 1.95.final+patches on APR-util 1.3, and moving to
expat 2.0.1 for APR 2?

My preference would be to unbundle in APR 2 anyways, and not get tied up
in 3rd party security quirks, but it seems people still like to solve
foreign project build issues at apr, httpd etc.

Mime
View raw message