On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote: > any concerns about the timing? > any additional fixes people would like to see in that release?
I have been trying to backport security fixes for CVE-2009-3720 and CVE-2009-3560 to the bundled copy of expat but am getting nowhere. The patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 which is significantly different :( These are both issues which can segfault the XML parser when parsing particular (invalid) documents; a pertinent issue e.g. for those running public DAV servers. I'm not sure what to recommend here; we could either ship with known vulnerabilities, attempt to upgrade the bundled expat to a more recent version, or drop the bundled expat altogether for new releases. None of these seem attractive. (The latest upstream is expat 2.0.1, which doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x to boot) Regards, Joe
