On Thu, Oct 22, 2009 at 11:28:46AM +0200, Richard Atterer wrote: > Hello Mike, > > thanks for noticing that w3c-libwww ships a vulnerable local copy of expat! > > On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: > > hello, a security issue has been disclosed for expat. see [0], [1]. > > w3c-libwww embeds expat, so it is also affected. this affects all > > supported debian releases, so please coordinate with the security team > > to prepare DSAs. > > > > mike > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 > > [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 > > w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. > > I want it removed from the archive because it is old and suffers from > bitrot, see #440436. > > So I suggest the following: > > * Simply remove it from unstable, this should be possible with minor > problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63
But please proceed with the removal from unstable by filing a removal bug against ftp.debian.org. Amaya has been removed and the other users have been fixed. > * Fix the problem in oldstable by applying the security patch to libwww's > own copy of expat. Of course, eliminating the duplicate expat would be > cleaner, but the effort is hardly justified at this point, or what do you > think? > > The bugfix patch is here, it applies to libwww's expat copy: > https://bugs.gentoo.org/attachment.cgi?id=201849 > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 Since CVE-2009-2625 doesn't allow code injection, but only DoS and given that libwww in oldstable is only used by wmweather, I think we can ignore it, unless Nico wants to work on an update? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
