Monday, February 15, 2010

Apache XML-RPC 3.1.3

Didn't expect another release of Apache XML-RPC this year. We had one last year and that should do for some time, shouldn't it? At least for such a relatively stable (read: boring) piece of code.

Unexpectedly, Johan H├Ągre detected a security issue: Due to the XML parsers standard configuration, it has been possible to include server side files as entities to the clients request. Vice versa, the server could add client side files to the response. Better fix that soon...

The new distribution is available from any Apache mirror at http://www.apache.org/dyn/closer.cgi/ws/xmlrpc/. If the mirrors don't catch up fast enough, try http://www.apache.org/dist/ws/xmlrpc/