[
https://issues.apache.org/jira/browse/XERCESC-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17055407#comment-17055407
]
Scott Cantor commented on XERCESC-2188:
---------------------------------------
Yes, that's kind of the issue, what we can assume about the uses of the class.
Technically, the view of the project is that the internal/ directory, while
installed into header-space, is not technically meant to be API, so one can
decide that any application broken by the change should be fixed, but we can't
guarantee what is or isn't currently calling that stuff, and if the headers are
actually installed because they're pulled in by public ones, that would make it
impossible to de-install them going forward. But I plan to explore that
question a bit because if we believe they shouldn't be called, we should try
and avoid installing them.
In any case, for now I can't say what any downstream should do, we haven't
really settled on whether to do this as a 3.2.3 or as 3.3.0.
And no, I have no reproduction of the bug and Red Hat said the same thing, that
it didn't fail.
> Use-after-free on external DTD scan
> -----------------------------------
>
> Key: XERCESC-2188
> URL: https://issues.apache.org/jira/browse/XERCESC-2188
> Project: Xerces-C++
> Issue Type: Bug
> Components: Validating Parser (DTD)
> Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3,
> 3.1.4, 3.2.1, 3.2.2
> Reporter: Scott Cantor
> Priority: Major
> Attachments: Apache-496067-disclosure-report.pdf
>
>
> This is a record of an unfixed bug reported in 2018 in the DTD scanner, per
> the attached PDF, corresponding to CVE-2018-1311.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
