apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Fwd: Vulnerability in APR-UTIL, perhaps APR
Date Wed, 12 Aug 2015 07:04:58 GMT


On 08/03/2015 12:13 AM, Branko Čibej wrote:
> On 31.07.2015 22:50, William A Rowe Jr wrote:
>> Thanks Daniel, sharing this with the dev@ list, as the problem and the
>> fix are both public.
>>
>> Folks, what are your thoughts?  Our expat is already quite old, and
>> the current release 
>> was 2.10, while we were still shipping 1.95.7, before this issue
>> popped up.
>>
>> Bumping major versions in a subversion release seems out of place. 
>> Perhaps though
>> we can ship this in a 1.6 if we are going to proceed.
> 
> I agree, we should bundle the latest Expat in 1.6.

+1

> 
>>   Would we want to ship the patch,
>> or would we want to ship expat project's own patches once they update?
> 
> Ideally we'd use the Expat project's patches, but it's likely that
> they'll just fix 2.10 and roll a new release; that won't help us with
> the code we bundle 1.4.x/1.5.x.

What about upgrading to the latest 1.95.x available and apply the needed project patches or
backports of them like
mentioned by Joe?

Regards

Rüdiger

Mime
View raw message