On Fri, May 27, 2016 at 10:12 AM, Eric Covener wrote:
> On Fri, May 27, 2016 at 9:48 AM, David Dillard
> wrote:
> > Did anyone see
> > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat
> > allows context-dependent attackers to cause a denial of service (crash)
> or
> > poss
Here's a manual fix of the merge conflicts, needs -p4 since I did it
in a httpd sandbox.
http://people.apache.org/~covener/patches/apu-expat-CVE-2016-0718.diff
I confirmed a simple webdav test worked. To double-check the merge, I
did see that the patch did not change every call to xmlConvert and
On Fri, May 27, 2016 at 9:48 AM, David Dillard wrote:
> Did anyone see
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat
> allows context-dependent attackers to cause a denial of service (crash) or
> possibly execute arbitrary code via a malformed input document, which
> tr
Did anyone see
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718? "Expat
allows context-dependent attackers to cause a denial of service
(crash) or *possibly
execute arbitrary code* via a malformed input document, which triggers a
buffer overflow."
A patch used for Debian can be foun