You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by GitBox <gi...@apache.org> on 2020/09/30 22:36:15 UTC
[GitHub] [openoffice] DonLewisFreeBSD opened a new pull request #102: Libxml+serf 418
DonLewisFreeBSD opened a new pull request #102:
URL: https://github.com/apache/openoffice/pull/102
Bug fixes from upstream for bundled libxml2 and serf modules
* libxml2
- Possible infinite loop in xmlStringLenDecodeEntities
- Make sure that truncated UTF-8 sequences don't cause an out-of-bounds array access.
- Fix memory leak in xmlSchemaValidateStream
* serf
- Fix handling of NUL characters in certificate fields
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
[GitHub] [openoffice] DonLewisFreeBSD commented on pull request #102: Libxml+serf 418
Posted by GitBox <gi...@apache.org>.
DonLewisFreeBSD commented on pull request #102:
URL: https://github.com/apache/openoffice/pull/102#issuecomment-703146676
Testing the serf bug fix would require making an SSL connection through a MITM device that redirected SSL network connections to intended to go to the server "example.com" to a rogue server that has a certificate for "example.com\0.badguy.com". Without the fix, the connection would be allowed. With the fix, the connection attempt should fail with a certificate error.
I don't have reproducers for the libxml2 fixes, but they would need to be embedded in a document and two of the bugs would cause a potential DoS (memory leak or infinite loop).
Since the patches came from upstream, I'm inclined to trust them as long as we don't see any regressions. The libxml2 patches will be included in the next release. The serf patch has been part of a released version of serf for many years. Unfortunately upgrading to a fixed release of serf is non-trivial.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
[GitHub] [openoffice] DonLewisFreeBSD merged pull request #102: Libxml+serf 418
Posted by GitBox <gi...@apache.org>.
DonLewisFreeBSD merged pull request #102:
URL: https://github.com/apache/openoffice/pull/102
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org