ROME 0.9 released

Dave has done some great work getting the ROME 0.9 release out. There's also a new release of the ROME Fetcher.

I did an interesting fix for an ROME XML based security vulnerability in this release. I plan to blog about it in some depth later, but for the moment it's fair to say that the problem is somewhat obscure, but you probably should upgrade if you care about security. I also submitted patches to fix the same problem in Jakarta FeedParser, and Kevin's Tailrank version of FeedParser. A quick code inspection indicated that Informa is probably vulnerable, too, but I haven't got around to doing a patch for that.

Nelson (who pointed this out to us) has said about 3/4 of the XML applications he's encounted are vulnerable to this problem. After the lengths I had to go to fix it I'm not surprised – insecure by design is how I'd describe the XML APIs.

Leave a Reply

Your email address will not be published. Required fields are marked *