httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Schrauwen <>
Subject Re: AVG gives warning unpacking 2.2.15-win32 source
Date Fri, 12 Mar 2010 19:03:02 GMT
On Fri, Mar 12, 2010 at 7:10 PM, William A. Rowe Jr.
<> wrote:
> On 3/12/2010 12:06 PM, Jorge Schrauwen wrote:
>> I'm about to build the x64 binaries for on my website and AVG on my
>> development machine throws this at me.
>> Warning: XML Bomb:
>> srclib/apr-util/test/data/billion-laughs.xml
>> See attached screenshots, most likely harmless but not a nice welcome
>> when unpacking the source.
> You would rather we not warn you of the vulnerability, when you compile against
> your existing expat?

So it's AVG's that's broke? Still sucks that AVG makes it appear that
the xml file is bad.

On Fri, Mar 12, 2010 at 7:20 PM, Gregg L. Smith <> wrote:
> On Windows?
> My suggestion originally was to remove it only from the Win32 zip.
> Gregg

Yep, this was with the windows source zip

On Fri, Mar 12, 2010 at 7:16 PM, Gregg L. Smith <> wrote:
> Hi Jorge,
> I brought this up quite some time ago, which is why I have been moving away
> from AVG since I was basically ignored here :-) That and AVG's many false
> positives. What is worse is, that XML bomb wont hurt anything anymore, and
> it can be gotten around AVG as well just by adding a certain amount of more
> recursions. I will not post the exact number, but at some point it will be
> bypassed.
> My thoughts on this is if this problem is fixed, why does there need to be a
> test against it anymore other than breaking said fix in the future and
> therefore becoming vulnerable again.
> Gregg

Oh didn't notice it back then, any recommendation for a for a free AV
product for windows?
Don't feel like forking over money to just run it on my test system
which runs like... maybe 3h per httpd release to get my x64 binaries

Well if it's harmless and posted before, sorry for not noticing the
original post.


View raw message