Andy Green writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sam Varshavchik wrote:
| W3C stopped maintaining libwww three years ago | (http://www.w3.org/Library/). So, what should one do after finding a | bunch of major, but non-security related flaws in libwww?
Their CVS seems active
http://dev.w3.org/cvsweb/libwww/
README there suggests Jose Kahan was recently working on it: if he doesn't maintain it he probably knows who does.
His spamproofed Email is at the bottom of this page:
http://www.w3.org/People/Jose/
A minor update. Upon further investigation one of the bugs turned into an illegal out-of-bounds memory access, which, I guess makes it a security issue.
Any hostile server could now potentially cause any libwww client to segfault, from the looks of things. This includes the LWP module. What a gawdawful messâ
The function which is responsible for this mess is beyond hope, and must be rewritten.
Attachment:
pgpWzyX8HCsxC.pgp
Description: PGP signature
