apr-util 1.6.0 will ship without an embedded copy of the expat software. Obtaining expat and keeping it refreshed and up to date with respect to security patches will become an exercise for the user/admin/vendor.
This is scheduled for "RSN" - real soon now. Bill On Wed, May 24, 2017 at 1:43 AM, Stefan Priebe - Profihost AG <[email protected]> wrote: > Hello list, > > while reading "http://www.ieee-security.org/TC/SP2017/papers/71.pdf"; > they claim to have found unpatched security holes in apache httpd. While > reading further it seems that the only missing peace is the unpatched > xmlparse from expat. > > While searching on our build server it turns out to me that the bug is > not in apache httpd but in aprutil: > > # grep -nHr 'newHash = hash' apr-util-1.5.4 > > apr-util-1.5.4/xml/expat/lib/xmlparse.c:5431: unsigned long > newHash = hash(table->v[i]->name); > > Did i miss anything from the paper? Is a new apr-util version planned > which fixes the problem? Are there any special build options or modules > needed? > > Greets, > Stefan
