Thanks Daniel, sharing this with the dev@ list, as the problem and the fix are both public.
Folks, what are your thoughts? Our expat is already quite old, and the current release was 2.10, while we were still shipping 1.95.7, before this issue popped up. Bumping major versions in a subversion release seems out of place. Perhaps though we can ship this in a 1.6 if we are going to proceed. Would we want to ship the patch, or would we want to ship expat project's own patches once they update? In 2.0 we thankfully don't bundle expat any longer, and actually allow libxml2 in place of expat at the user's discretion. ---------- Forwarded message ---------- From: David Dillard <[email protected]> Date: Fri, Jul 24, 2015 at 9:30 AM Subject: Vulnerability in APR-UTIL, perhaps APR To: "[email protected]" <[email protected]> Hi, You may already know about this, but in case you don’t, some vulnerabilities were published today against Google Chrome, one of which is in the expat XML library. A copy of this library is included in the latest version of APR-UTIL (1.5.4). Looking at the source it appears that this vulnerability is still present in the version of the code used in APR-UTIL. Link to the CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 Link to the patch in Chrome: https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c Link to the related source in APR-UTIL: http://svn.apache.org/viewvc/apr/apr-util/tags/1.5.4/xml/expat/lib/xmlparse.c?revision=1625430&view=markup#l1497 This may affect APR 2.x as well, I’m not sure. --- David
