Thanks for your email and raised concern, Jeremy. Full accessibility in Smuxi has been a high priority for me for a long time.
I looked into the vulnerability of the log4net library that Smuxi depends on. my assessment doesn't classify a XXE for local configuration file as release critical. An attacker would need to have write access to the configuration file to exploit it. It that point a XXE is pointless, he can just execute curl, wget, perl, python or write something to ~/.bashrc directly. Having identified the offending code the fix is a one line change on the other hand. I plan to upload a fixed version of log4net in the coming days. To bump the version to the latest one of log4net so late in the release cycle I don't see as a good option. There are 2 other reverse dependencies that could break where I am not upstream of. Best regards, Mirco Bauer Smuxi and Debian developer On Sun, 10 Jan 2021, 19:53 Jérémy Prego, <jer...@pregonetwork.net> wrote: > hello, > > as a blind user, I regret removing smuxi from debian. I am a daily smuxi > user. Unfortunately, this is the only accessible graphical irc client > that I know of under Debian. for other types of messaging i use pidgin, > but for irc i really like to use smuxi ... > > is there really no solution to keep smuxi in debian? > > thanks, > > Jerem > Le 10/01/2021 à 05:39, Debian testing autoremoval watch a écrit : > > smuxi 1.0.7-5.1 is marked for autoremoval from testing on 2021-02-08 > > > > It (build-)depends on packages with these RC bugs: > > 977468: log4net: CVE-2018-1285 > > https://bugs.debian.org/977468 > > > > > > > > This mail is generated by: > > > https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl > > > > Autoremoval data is generated by: > > > https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl > >
