status of CVE-2009-1885 in 2.x branch
-------------------------------------
Key: XERCESC-1885
URL: https://issues.apache.org/jira/browse/XERCESC-1885
Project: Xerces-C++
Issue Type: Bug
Affects Versions: 2.8.0
Reporter: Jay Berkenbilt
SVN revision 781488 fixes CVE-2009-1885 and has description, "Avoid recursion
when parsing simply nested DTD structures." The patch generated from this
revision applies cleanly to the released 3.0.1 sources, but it (not at all
surprisingly) does not apply well at all to 2.8.0. Debian maintains packages
for both 3.0.1 and 2.8.0 since many software packages have not yet migrated
from 2.x to 3.x. Is there any intention of backporting this fix to the 2.x
series, or are the 2.x releases now considered unsupported? I'd like to try to
get a feel for how much effort I or possibly members of the debian security
team should put into backporting this. Thanks for any input. I was unable to
find an issue already in JIRA relating to this. I apologize if I overlooked it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
