On Tue, Sep 28, 2010 at 12:04:59PM -0500, William A. Rowe Jr. wrote: > On 9/28/2010 10:22 AM, Joe Orton wrote: > > On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote: > >> any concerns about the timing? > >> any additional fixes people would like to see in that release? > > > > I have been trying to backport security fixes for CVE-2009-3720 and > > CVE-2009-3560 to the bundled copy of expat but am getting nowhere. The > > patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 > > which is significantly different :( > > > > These are both issues which can segfault the XML parser when parsing > > particular (invalid) documents; a pertinent issue e.g. for those running > > public DAV servers. > > > > I'm not sure what to recommend here; we could either ship with known > > vulnerabilities, attempt to upgrade the bundled expat to a more recent > > version, or drop the bundled expat altogether for new releases. None of > > these seem attractive. (The latest upstream is expat 2.0.1, which > > doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x > > to boot) > > What about bumping to 1.95.final+patches on APR-util 1.3, and moving to > expat 2.0.1 for APR 2?
Bumping to a later 1.95.x+patches seems feasible actually, yeah, nice idea. I'm going to try to get this done today; I'll probably break the Win32 build (at least!) so help might be required! > My preference would be to unbundle in APR 2 anyways, and not get tied up > in 3rd party security quirks, but it seems people still like to solve > foreign project build issues at apr, httpd etc. It's gone from the apr trunk already, yup :) Regards, Joe