* Stefan Sperling: > On Sat, Apr 23, 2016 at 05:55:23PM +0200, Florian Weimer wrote: >> It seems that mod_dontdothat creates an Expat XML parser without >> inhibiting XML entity expansion for the internal DTD subset. This >> might cause a denial-of-service issue when parsing client-submitted >> XML. >> >> There are other pieces of code in Subversion which also create Expat >> parsers this way, but they are in the client code, so there is less >> exposure. >> >> May I file an issue for this? > > Sure.
Thanks. > If you'd rather not expose details publicly, you can instead submit > a report as described here: http://subversion.apache.org/security/ There is already a public Fedora bug report about this, so it doesn't really mattter at this point.
