Hi, Our company is currently using Subversion in our development.
In our recent security analysis scan with Black Duck, it detected CVE-2016-0718<https://nvd.nist.gov/vuln/detail/CVE-2016-0718> in Expat, which is reference by Subversion. This vulnerability has been resolved from Expat 2.2.0 onwards, where Expat 1.6.x is used in the latest version of Subversion 1.14.1 We hope you can provide some information of the following few queries: 1. Is there any plan for Subversion to upgrade with Expat 2.2.0 or above? 2. We are currently self-build and use Subversion 1.10.6. * May I know if there is any impact if we internally upgrade Expat to 2.2.0 or above? * What should we pay attention to if we would use the newer version of Expat? 3. May I know if the issue detected in CVE-2016-0718 has direct impact to Subversion? * Accordingly to NVD, it is related to "processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution". May allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow Thank in advance. Best regards, Kathy (Yokogawa Engineering Asia) ----- CONFIDENTIAL: This e-mail may contain information that is confidential or otherwise protected from disclosure and intended only for the party to whom it is addressed. If you are not the intended recipient, please notify the sender by return and delete this e-mail. You are hereby formally advised that any unauthorized use, disclosure or copying of this email is strictly prohibited and may be unlawful.
