Return-Path: 
 <dev-return-26350-apmail-apr-dev-archive=apr.apache.org@apr.apache.org>
X-Original-To: apmail-apr-dev-archive@www.apache.org
Delivered-To: apmail-apr-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8326C18C5A
	for <apmail-apr-dev-archive@www.apache.org>;
 Wed, 12 Aug 2015 07:05:00 +0000 (UTC)
Received: (qmail 67990 invoked by uid 500); 12 Aug 2015 07:05:00 -0000
Delivered-To: apmail-apr-dev-archive@apr.apache.org
Received: (qmail 67889 invoked by uid 500); 12 Aug 2015 07:05:00 -0000
Mailing-List: contact dev-help@apr.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:dev@apr.apache.org>
List-Help: <mailto:dev-help@apr.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@apr.apache.org>
List-Id: <dev.apr.apache.org>
Delivered-To: mailing list dev@apr.apache.org
Received: (qmail 67880 invoked by uid 99); 12 Aug 2015 07:05:00 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org)
 (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Aug 2015 07:05:00 +0000
Received: from gauss.localdomain (v4-861345e7.pool.vitroconnect.de
 [134.19.69.231])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with
 ESMTPSA id ED3AE1A003F
	for <dev@apr.apache.org>; Wed, 12 Aug 2015 07:04:59 +0000 (UTC)
Received: from [IPv6:::1] (localhost [IPv6:::1])
	by gauss.localdomain (Postfix) with ESMTP id 969AE177
	for <dev@apr.apache.org>; Wed, 12 Aug 2015 09:04:58 +0200 (CEST)
Message-ID: <55CAF01A.5070007@apache.org>
Date: Wed, 12 Aug 2015 09:04:58 +0200
From: Ruediger Pluem <rpluem@apache.org>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64;
 rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1
MIME-Version: 1.0
To: dev@apr.apache.org
Subject: Re: Fwd: Vulnerability in APR-UTIL, perhaps APR
References: 
 <402AE8E1D2FBB84ABE4AB494310DC4A97C781F11F5@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
 <CACsi253PWDJuhH3vXAyB97AQsRewnWU=8r=uq3ub4BeFUgpt5w@mail.gmail.com>
 <55BE961C.60209@apache.org>
In-Reply-To: <55BE961C.60209@apache.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit



On 08/03/2015 12:13 AM, Branko Čibej wrote:
> On 31.07.2015 22:50, William A Rowe Jr wrote:
>> Thanks Daniel, sharing this with the dev@ list, as the problem and the
>> fix are both public.
>>
>> Folks, what are your thoughts?  Our expat is already quite old, and
>> the current release 
>> was 2.10, while we were still shipping 1.95.7, before this issue
>> popped up.
>>
>> Bumping major versions in a subversion release seems out of place. 
>> Perhaps though
>> we can ship this in a 1.6 if we are going to proceed.
> 
> I agree, we should bundle the latest Expat in 1.6.

+1

> 
>>   Would we want to ship the patch,
>> or would we want to ship expat project's own patches once they update?
> 
> Ideally we'd use the Expat project's patches, but it's likely that
> they'll just fix 2.10 and roll a new release; that won't help us with
> the code we bundle 1.4.x/1.5.x.

What about upgrading to the latest 1.95.x available and apply the needed project patches or backports of them like
mentioned by Joe?

Regards

Rüdiger