Here's a manual fix of the merge conflicts, needs -p4 since I did it in a httpd sandbox.
http://people.apache.org/~covener/patches/apu-expat-CVE-2016-0718.diff I confirmed a simple webdav test worked. To double-check the merge, I did see that the patch did not change every call to xmlConvert and we have the same number of calls and changes as they do. On Fri, May 27, 2016 at 10:12 AM, Eric Covener <cove...@gmail.com> wrote: > On Fri, May 27, 2016 at 9:48 AM, David Dillard <davidedill...@gmail.com> > wrote: >> Did anyone see >> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat >> allows context-dependent attackers to cause a denial of service (crash) or >> possibly execute arbitrary code via a malformed input document, which >> triggers a buffer overflow." >> >> A patch used for Debian can be found at >> http://www.openwall.com/lists/oss-security/2016/05/17/12 > > Thanks David. > > As reported by Seulbae Kim from the Center for Software Security and > Assurance (CSSA), we either need to spend a lot of time on a bundled > expat or rip it out from releases. I think one more release with an > updated expat might be prudent, given the severity of the issue shared > above. > > -- > Eric Covener > cove...@gmail.com -- Eric Covener cove...@gmail.com
