[jira] Resolved: (XERCESC-1885) status of CVE-2009-1885 in 2.x branch

["Alberto Massari (JIRA)" <xe...@xml.apache.org>]

     [ https://issues.apache.org/jira/browse/XERCESC-1885?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alberto Massari resolved XERCESC-1885.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 2.9.0
         Assignee: Alberto Massari

The patch needed only a couple fixes (XMLSize_t -> unsigned int, getValidationScheme -> getDoValidation); you can find it applied as rev. 807224

Alberto

> status of CVE-2009-1885 in 2.x branch
> -------------------------------------
>
>                 Key: XERCESC-1885
>                 URL: https://issues.apache.org/jira/browse/XERCESC-1885
>             Project: Xerces-C++
>          Issue Type: Bug
>    Affects Versions: 2.8.0
>            Reporter: Jay Berkenbilt
>            Assignee: Alberto Massari
>             Fix For: 2.9.0
>
>
> SVN revision 781488 fixes CVE-2009-1885 and has description, "Avoid recursion when parsing simply nested DTD structures."  The patch generated from this revision applies cleanly to the released 3.0.1 sources, but it (not at all surprisingly) does not apply well at all to 2.8.0.  Debian maintains packages for both 3.0.1 and 2.8.0 since many software packages have not yet migrated from 2.x to 3.x.  Is there any intention of backporting this fix to the 2.x series, or are the 2.x releases now considered unsupported?  I'd like to try to get a feel for how much effort I or possibly members of the debian security team should put into backporting this.  Thanks for any input.  I was unable to find an issue already in JIRA relating to this.  I apologize if I overlooked it.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org