openoffice-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [openoffice] DonLewisFreeBSD commented on pull request #102: Libxml+serf 418
Date Sat, 03 Oct 2020 18:37:33 GMT

DonLewisFreeBSD commented on pull request #102:
URL: https://github.com/apache/openoffice/pull/102#issuecomment-703146676


   Testing the serf bug fix would require making an SSL connection through a MITM device that
redirected SSL network connections to intended to go to the server "example.com" to a rogue
server that has a certificate for "example.com\0.badguy.com".  Without the fix, the connection
would be allowed.  With the fix, the connection attempt should fail with a certificate error.
   
   I don't have reproducers for the libxml2 fixes, but they would need to be embedded in a
document and two of the bugs would cause a potential DoS (memory leak or infinite loop).
   
   Since the patches came from upstream, I'm inclined to trust them as long as we don't see
any regressions.  The libxml2 patches will be included in the next release.  The serf patch
has been part of a released version of serf for many years.  Unfortunately upgrading to a
fixed release of serf is non-trivial.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org


Mime
View raw message