Re: [jira] [Updated] (SVN-4630) Unrestricted internal XML entities expansion

[Daniel Shahaf <d....@daniel.shahaf.name>]

Ivan Zhakov (JIRA) wrote on Mon, May 09, 2016 at 10:53:12 +0000:
> 
>      [ https://issues.apache.org/jira/browse/SVN-4630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
> 
> Ivan Zhakov updated SVN-4630:
> -----------------------------
>     Component/s:     (was: mod_dav_svn)
>                  tools
> 
> Changing {{Component}} to {{tools}}, since this is mod_dontdothat
> specific problem and mod_dav_svn is not affected.

Just making sure: did you see the following remark at the end of the
report:

> > The Expat parser creation in {{subversion/libsvn_ra_serf/util.c}} and {{subversion/libsvn_subr/xml.c}} should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern.

?

Re: [jira] [Updated] (SVN-4630) Unrestricted internal XML entities expansion

[Ivan Zhakov <iv...@apache.org>]

On 10 May 2016 at 01:15, Daniel Shahaf <d....@daniel.shahaf.name> wrote:
> Ivan Zhakov (JIRA) wrote on Mon, May 09, 2016 at 10:53:12 +0000:
>>
>>      [ https://issues.apache.org/jira/browse/SVN-4630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>>
>> Ivan Zhakov updated SVN-4630:
>> -----------------------------
>>     Component/s:     (was: mod_dav_svn)
>>                  tools
>>
>> Changing {{Component}} to {{tools}}, since this is mod_dontdothat
>> specific problem and mod_dav_svn is not affected.
>
> Just making sure: did you see the following remark at the end of the
> report:
>
>> > The Expat parser creation in {{subversion/libsvn_ra_serf/util.c}} and
> {{subversion/libsvn_subr/xml.c}} should be fixed as well, but these are
> in the client-side code (I think), and therefore less of a security concern.
>
Yes, I noticed that, but forgot that JIRA allows to specify multiple
components for issues. I've added libsvn_ra_serf as component for this
issue. Thanks for heads-up!


-- 
Ivan Zhakov