On Tue, Oct 07, 2014 at 07:07:42PM -0400, Bill Blough wrote:
>
> Hi mentors,
>
The original submitter of the bug downgraded the severity himself so it's no
longer a decision I need to make. At least not right now.
Thanks again to Paul and Adam for your insights.
Bill
signature.asc
Descripti
On Wed, Oct 08, 2014 at 02:12:30PM +0800, Paul Wise wrote:
> On Wed, Oct 8, 2014 at 2:08 PM, Bill Blough wrote:
>
> > Probably so. And while it's an intriguing idea to think about, in my
> > opinion
> > it defeats the purpose, since xalan is an xlst implementation that
> > provides an
> > alte
On Wed, Oct 8, 2014 at 2:08 PM, Bill Blough wrote:
> Probably so. And while it's an intriguing idea to think about, in my opinion
> it defeats the purpose, since xalan is an xlst implementation that provides
> an
> alternative to libxslt.
I think I wasn't clear enough in my suggestion wording.
On Wed, Oct 08, 2014 at 12:21:57PM +0800, Paul Wise wrote:
> On Wed, Oct 8, 2014 at 11:40 AM, Bill Blough wrote:
>
> > That's an interesting thought. That would likely resolve the issue as
> > filed in
> > the bug report against the xalan executables. However the same problem
> > would
> > sti
On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote:
> In my opinion, people *shouldn't* be running untrusted stylesheets any more
> than they should run untrusted shell scripts or other code. If we
> conveniently
> ignore that sometimes people do things that are unwise, then I would say
On Wed, Oct 8, 2014 at 11:40 AM, Bill Blough wrote:
> That's an interesting thought. That would likely resolve the issue as filed
> in
> the bug report against the xalan executables. However the same problem would
> still technically exist in the underlying library code (libxalan-c). Though,
>
On Wed, Oct 08, 2014 at 10:53:04AM +0800, Paul Wise wrote:
> That sounds of a potential denial of service vulnerability.
>
> How likely is it that Xalan would be used with untrusted stylesheets
> supplied by attackers?
In my opinion, people *shouldn't* be running untrusted stylesheets any more
th
That sounds of a potential denial of service vulnerability.
How likely is it that Xalan would be used with untrusted stylesheets
supplied by attackers?
If you don't think it would be possible to fix it you can ask the
release team for a jessie-ignore tag, reportbug release.debian.org,
choose "3 o
Hi mentors,
I am the current maintainer for Xalan [1] and could use some feedback with
regard to a particular bug [2].
The bug is currently tagged grave severity due to the possibility of a
user-supplied stylesheet causing an out-of-memory condition (due to infinite
recursion) and crashing the
9 matches
Mail list logo
