[
https://issues.apache.org/jira/browse/XERCESC-1885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12746319#action_12746319
]
Jay Berkenbilt commented on XERCESC-1885:
-----------------------------------------
(Hey neat, I got issue number 1885 for CVE-2009-1885.)
> status of CVE-2009-1885 in 2.x branch
> -------------------------------------
>
> Key: XERCESC-1885
> URL: https://issues.apache.org/jira/browse/XERCESC-1885
> Project: Xerces-C++
> Issue Type: Bug
> Affects Versions: 2.8.0
> Reporter: Jay Berkenbilt
>
> SVN revision 781488 fixes CVE-2009-1885 and has description, "Avoid recursion
> when parsing simply nested DTD structures." The patch generated from this
> revision applies cleanly to the released 3.0.1 sources, but it (not at all
> surprisingly) does not apply well at all to 2.8.0. Debian maintains packages
> for both 3.0.1 and 2.8.0 since many software packages have not yet migrated
> from 2.x to 3.x. Is there any intention of backporting this fix to the 2.x
> series, or are the 2.x releases now considered unsupported? I'd like to try
> to get a feel for how much effort I or possibly members of the debian
> security team should put into backporting this. Thanks for any input. I was
> unable to find an issue already in JIRA relating to this. I apologize if I
> overlooked it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
