Greetings William, On Thu, Sep 10, 2009 at 8:18 PM, William A. Rowe, Jr. <wr...@rowe-clan.net>wrote:
> > > No, you misinterpreted; the application developer must expose a DoS/memory > exhaustion vector; where that exists, and the affected version of APR > is used, and the information written to the never-allocated buffer just > happens to overlap some predictable, current allocations, then the external > user may trigger a segfault but possibly worse, depending ENTIRELY on > the code in the application. > > It is to my understanding this is all based on the amount of input and how it is sanitized. We appreciate if for the sake of the users that cannot upgrade at this moment you could kindly provide a source or example of what would constitute an open "DoS/memory exhaustion vector" so that we may evaluate our code at the instances it recieves user input. Thank you David
