On 9/28/2010 10:22 AM, Joe Orton wrote: > On Tue, Sep 28, 2010 at 07:05:09AM -0400, Jeff Trawick wrote: >> any concerns about the timing? >> any additional fixes people would like to see in that release? > > I have been trying to backport security fixes for CVE-2009-3720 and > CVE-2009-3560 to the bundled copy of expat but am getting nowhere. The > patches available work for 1.95.8 and later, but apr-util bundles 1.95.2 > which is significantly different :( > > These are both issues which can segfault the XML parser when parsing > particular (invalid) documents; a pertinent issue e.g. for those running > public DAV servers. > > I'm not sure what to recommend here; we could either ship with known > vulnerabilities, attempt to upgrade the bundled expat to a more recent > version, or drop the bundled expat altogether for new releases. None of > these seem attractive. (The latest upstream is expat 2.0.1, which > doesn't have the security fixes applied and 2.x breaks ABI with 1.95.x > to boot)
What about bumping to 1.95.final+patches on APR-util 1.3, and moving to expat 2.0.1 for APR 2? My preference would be to unbundle in APR 2 anyways, and not get tied up in 3rd party security quirks, but it seems people still like to solve foreign project build issues at apr, httpd etc.
