Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 22497 invoked from network); 28 Sep 2010 15:22:40 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 28 Sep 2010 15:22:40 -0000 Received: (qmail 75382 invoked by uid 500); 28 Sep 2010 15:22:40 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 74983 invoked by uid 500); 28 Sep 2010 15:22:37 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 74976 invoked by uid 99); 28 Sep 2010 15:22:36 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Sep 2010 15:22:36 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=10.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of jorton@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Sep 2010 15:22:28 +0000 Received: from int-mx08.intmail.prod.int.phx2.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o8SFM7W3020486 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 28 Sep 2010 11:22:07 -0400 Received: from turnip.manyfish.co.uk (vpn-8-118.rdu.redhat.com [10.11.8.118]) by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o8SFM5Ek018766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Sep 2010 11:22:06 -0400 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.72) (envelope-from ) id 1P0c0K-0001zj-Hs; Tue, 28 Sep 2010 16:22:04 +0100 Date: Tue, 28 Sep 2010 16:22:04 +0100 From: Joe Orton To: Jeff Trawick Cc: dev@apr.apache.org Subject: Re: intent to T&R apr-util 1.3.10 sometime Thursday Message-ID: <20100928152204.GA27621@redhat.com> Mail-Followup-To: Jeff Trawick , dev@apr.apache.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-08-17) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.21 X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote: > any concerns about the timing? > any additional fixes people would like to see in that release? I have been trying to backport security fixes for CVE-2009-3720 and CVE-2009-3560 to the bundled copy of expat but am getting nowhere. The patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 which is significantly different :( These are both issues which can segfault the XML parser when parsing particular (invalid) documents; a pertinent issue e.g. for those running public DAV servers. I'm not sure what to recommend here; we could either ship with known vulnerabilities, attempt to upgrade the bundled expat to a more recent version, or drop the bundled expat altogether for new releases. None of these seem attractive. (The latest upstream is expat 2.0.1, which doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x to boot) Regards, Joe