Package: python-django-djblets Severity: important Tags: security I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt* *The python-django-djblets package reported potential issues appended to this message. The analysis tries to justify why it believes a library or code is embedded in the package and if the relationship is not already being tracked by Debian in the embedded-code-copies database it shows the files that are shared between the two pieces of software. Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future. -- Silvio Cesare Deakin University ### Summary: ### feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1156 feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1157 feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1158 ### Reports by package: ### # Package python-django-djblets may be vulnerable to the following issues: # CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 # SUMMARY: feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration. # # CVE-2011-1156 relates to a vulnerability in package feedparser. # The following source filenames are likely responsible: # feedparser.py # # The following package clones are NOT tracked in the embedded-code-copies # database. # feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1156 MATCH feedparser.py/feedparser.py (6.814543) MATCH setup.py/setup.py (2.336070) # SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments. # # CVE-2011-1157 relates to a vulnerability in package feedparser. # The following source filenames are likely responsible: # feedparser.py # # The following package clones are NOT tracked in the embedded-code-copies # database. # feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1157 MATCH feedparser.py/feedparser.py (6.814543) MATCH setup.py/setup.py (2.336070) # SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI. # # CVE-2011-1158 relates to a vulnerability in package feedparser. # The following source filenames are likely responsible: # feedparser.py # # The following package clones are NOT tracked in the embedded-code-copies # database. # feedparser CLONED_IN_SOURCE python-django-djblets <unfixed> CVE-2011-1158 MATCH feedparser.py/feedparser.py (6.814543) MATCH setup.py/setup.py (2.336070)
