DonLewisFreeBSD commented on pull request #102: URL: https://github.com/apache/openoffice/pull/102#issuecomment-703146676
Testing the serf bug fix would require making an SSL connection through a MITM device that redirected SSL network connections to intended to go to the server "example.com" to a rogue server that has a certificate for "example.com\0.badguy.com". Without the fix, the connection would be allowed. With the fix, the connection attempt should fail with a certificate error. I don't have reproducers for the libxml2 fixes, but they would need to be embedded in a document and two of the bugs would cause a potential DoS (memory leak or infinite loop). Since the patches came from upstream, I'm inclined to trust them as long as we don't see any regressions. The libxml2 patches will be included in the next release. The serf patch has been part of a released version of serf for many years. Unfortunately upgrading to a fixed release of serf is non-trivial. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
