On Wed, Oct 08, 2014 at 12:21:57PM +0800, Paul Wise wrote:
On Wed, Oct 8, 2014 at 11:40 AM, Bill Blough wrote:
That's an interesting thought. That would likely resolve the issue as
filed in
the bug report against the xalan executables. However the same problem
would
still
On Wed, Oct 8, 2014 at 2:08 PM, Bill Blough wrote:
Probably so. And while it's an intriguing idea to think about, in my opinion
it defeats the purpose, since xalan is an xlst implementation that provides
an
alternative to libxslt.
I think I wasn't clear enough in my suggestion wording. I
On Wed, Oct 08, 2014 at 02:12:30PM +0800, Paul Wise wrote:
On Wed, Oct 8, 2014 at 2:08 PM, Bill Blough wrote:
Probably so. And while it's an intriguing idea to think about, in my
opinion
it defeats the purpose, since xalan is an xlst implementation that
provides an
alternative to
On Tue, Oct 07, 2014 at 07:07:42PM -0400, Bill Blough wrote:
Hi mentors,
The original submitter of the bug downgraded the severity himself so it's no
longer a decision I need to make. At least not right now.
Thanks again to Paul and Adam for your insights.
Bill
signature.asc
Hi mentors,
I am the current maintainer for Xalan [1] and could use some feedback with
regard to a particular bug [2].
The bug is currently tagged grave severity due to the possibility of a
user-supplied stylesheet causing an out-of-memory condition (due to infinite
recursion) and crashing
That sounds of a potential denial of service vulnerability.
How likely is it that Xalan would be used with untrusted stylesheets
supplied by attackers?
If you don't think it would be possible to fix it you can ask the
release team for a jessie-ignore tag, reportbug release.debian.org,
choose 3
On Wed, Oct 08, 2014 at 10:53:04AM +0800, Paul Wise wrote:
That sounds of a potential denial of service vulnerability.
How likely is it that Xalan would be used with untrusted stylesheets
supplied by attackers?
In my opinion, people *shouldn't* be running untrusted stylesheets any more
than
On Wed, Oct 8, 2014 at 11:40 AM, Bill Blough wrote:
That's an interesting thought. That would likely resolve the issue as filed
in
the bug report against the xalan executables. However the same problem would
still technically exist in the underlying library code (libxalan-c). Though,
On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote:
In my opinion, people *shouldn't* be running untrusted stylesheets any more
than they should run untrusted shell scripts or other code. If we
conveniently
ignore that sometimes people do things that are unwise, then I would say the
9 matches
Mail list logo
