apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Fwd: Vulnerability in APR-UTIL, perhaps APR
Date Fri, 31 Jul 2015 20:50:08 GMT
Thanks Daniel, sharing this with the dev@ list, as the problem and the fix
are both public.

Folks, what are your thoughts?  Our expat is already quite old, and the
current release
was 2.10, while we were still shipping 1.95.7, before this issue popped up.

Bumping major versions in a subversion release seems out of place.  Perhaps
though
we can ship this in a 1.6 if we are going to proceed.  Would we want to
ship the patch,
or would we want to ship expat project's own patches once they update?

In 2.0 we thankfully don't bundle expat any longer, and actually allow
libxml2 in place
of expat at the user's discretion.


---------- Forwarded message ----------
From: David Dillard <ddillard@symantec.com>
Date: Fri, Jul 24, 2015 at 9:30 AM
Subject: Vulnerability in APR-UTIL, perhaps APR
To: "security@apache.org" <security@apache.org>


Hi,



You may already know about this, but in case you don’t, some
vulnerabilities were published today against Google Chrome, one of which is
in the expat XML library.  A copy of this library is included in the latest
version of APR-UTIL (1.5.4).  Looking at the source it appears that this
vulnerability is still present in the version of the code used in APR-UTIL.



Link to the CVE:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283

Link to the patch in Chrome:
https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c

Link to the related source in APR-UTIL:
http://svn.apache.org/viewvc/apr/apr-util/tags/1.5.4/xml/expat/lib/xmlparse.c?revision=1625430&view=markup#l1497



This may affect APR 2.x as well, I’m not sure.





--- David

Mime
View raw message