I posted a question on February 24 about this but got no response, so I would greatly appreciate some advice on the proper way to get help on this issue. Please note that this isn't a complaint -- just a question to make sure I'm going about this the right way. :-)
I'm asking this question as the maintainer of the xerces packages for Debian. CAN-2004-1575 was described as follows: | The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause | a denial of service (CPU consumption) via XML attributes in a | crafted XML document. Since some distributions, including Debian, still support some older versions of Xerces than the latest 2.6.0 (we also support 2.6.0), it would be most helpful to us if we could get a patch relative to older versions for this problem. I have looked at all changes in the xerces-c CVS repository from September 9 to October 14 and didn't find anything that seemed like it could possibly be related to this kind of problem. I also searched the cvs log text for all files for "CAN", "CPU" and a few other useful keywords and found nothing relevant. I've also checked JIRA for information about this but didn't find anything. Apparently this problem was discovered 9or just barely in the nick of time to be fixed in 2.6.0, as all the information I've seen on this indicate that the remedy is to upgrade to 2.6.0. Or perhaps it just wasn't made public until the 2.6.0 release. Unfortunately, some packages, notably xerces-p, specifically require older versions, so we have little choice but to support multiple versions of the packages. Can someone point me to an area of code that I should be looking at? A patch against an older version would be ideal but not necessary. If someone can just show me where in the code the problem was fixed in 2.6.0 as compared with 2.5.0, I can take it from there. Some files and CVS revisions or a date range would also help if I am to construct the patch myself. Thanks for any help or pointers you can provide on this, including just telling me what I should be doing instead of posting here. -- Jay Berkenbilt <[EMAIL PROTECTED]> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
