On 31.07.2015 22:50, William A Rowe Jr wrote: > Thanks Daniel, sharing this with the dev@ list, as the problem and the > fix are both public. > > Folks, what are your thoughts? Our expat is already quite old, and > the current release > was 2.10, while we were still shipping 1.95.7, before this issue > popped up. > > Bumping major versions in a subversion release seems out of place. > Perhaps though > we can ship this in a 1.6 if we are going to proceed.
I agree, we should bundle the latest Expat in 1.6. > Would we want to ship the patch, > or would we want to ship expat project's own patches once they update? Ideally we'd use the Expat project's patches, but it's likely that they'll just fix 2.10 and roll a new release; that won't help us with the code we bundle 1.4.x/1.5.x. > In 2.0 we thankfully don't bundle expat any longer, and actually allow > libxml2 in place > of expat at the user's discretion. Whew, yes! :) -- Brane > ---------- Forwarded message ---------- > From: *David Dillard* <[email protected] > <mailto:[email protected]>> > Date: Fri, Jul 24, 2015 at 9:30 AM > Subject: Vulnerability in APR-UTIL, perhaps APR > To: "[email protected] <mailto:[email protected]>" > <[email protected] <mailto:[email protected]>> > > > Hi, > > > > You may already know about this, but in case you don’t, some > vulnerabilities were published today against Google Chrome, one of > which is in the expat XML library. A copy of this library is included > in the latest version of APR-UTIL (1.5.4). Looking at the source it > appears that this vulnerability is still present in the version of the > code used in APR-UTIL. > > > > Link to the CVE: > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1283 > > Link to the patch in Chrome: > https://codereview.chromium.org/1224303003/diff/1/third_party/expat/files/lib/xmlparse.c > > Link to the related source in APR-UTIL: > http://svn.apache.org/viewvc/apr/apr-util/tags/1.5.4/xml/expat/lib/xmlparse.c?revision=1625430&view=markup#l1497 > > > > This may affect APR 2.x as well, I’m not sure. > > > > > > --- David > > > > > >
