Your message dated Mon, 03 Feb 2014 01:33:23 +0000
with message-id <[email protected]>
and subject line Bug#383422: fixed in rawdog 2.19-1
has caused the Debian Bug report #383422,
regarding feedparser code embedded in rawdog and possibly may be out of date
and vulnerable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
383422: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=383422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rawdog
Severity: important
Tags: security
I have been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at
http://www.foocodechu.com/downloads/Clonewise-report.txt*
*The rawdog package reported potential issues appended to this message.
The analysis tries to justify why it believes a library or code is embedded
in the package and if the relationship is not already being tracked by
Debian in the embedded-code-copies database it shows the files that are
shared between the two pieces of software.
Apologies if these are false positives. Your help in advising me on whether
these issues are real will help me improve the analysis for the future.
--
Silvio Cesare
Deakin University
### Summary:
###
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1156
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1157
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1158
### Reports by package:
###
# Package rawdog may be vulnerable to the following issues:
#
CVE-2011-1156
CVE-2011-1157
CVE-2011-1158
# SUMMARY: feedparser.py in Universal Feed Parser (aka feedparser or
python-feedparser) before 5.0.1 allows remote attackers to cause a
denial of service (application crash) via a malformed DOCTYPE
declaration.
#
# CVE-2011-1156 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
# feedparser.py
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1156
# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via malformed XML comments.
#
# CVE-2011-1157 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
# feedparser.py
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1157
# SUMMARY: Cross-site scripting (XSS) vulnerability in feedparser.py
in Universal Feed Parser (aka feedparser or python-feedparser) 5.x
before 5.0.1 allows remote attackers to inject arbitrary web script or
HTML via an unexpected URI scheme, as demonstrated by a javascript:
URI.
#
# CVE-2011-1158 relates to a vulnerability in package feedparser.
# The following source filenames are likely responsible:
# feedparser.py
#
# The following package clones are tracked in the embedded-code-copies
# database. They have not been fixed.
#
feedparser CLONED_IN_SOURCE rawdog <unfixed> CVE-2011-1158
--- End Message ---
--- Begin Message ---
Source: rawdog
Source-Version: 2.19-1
We believe that the bug you reported is fixed in the latest version of
rawdog, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Sampson <[email protected]> (supplier of updated rawdog package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 02 Feb 2014 15:15:57 +0000
Source: rawdog
Binary: rawdog
Architecture: source all
Version: 2.19-1
Distribution: unstable
Urgency: low
Maintainer: Adam Sampson <[email protected]>
Changed-By: Adam Sampson <[email protected]>
Description:
rawdog - RSS Aggregator Without Delusions Of Grandeur
Closes: 383422 650776 651080 657206 660507 737116
Changes:
rawdog (2.19-1) unstable; urgency=low
.
* New maintainer (Closes: #660507)
* New upstream release (Closes: #651080, #737116)
* Remove Debian patch that replaced feedfinder; this was merged upstream and
extended in rawdog 2.15. (Closes: #650776, #657206)
* Depend on python-feedparser, which is no longer bundled with upstream
rawdog. (Closes: #383422)
* Recommend python-tidylib.
* Provide a virtual python-rawdoglib package, for other packages that use
rawdog's internal modules.
* Update the package to use debhelper 9, which simplifies the rules file.
* Update package description.
* Add a watch file.
* Put the copyright file into machine-readable form.
* Install the upstream changelog.
* Check that the package meets Debian policy version 3.9.5 (no further
changes needed), and update Standards-Version.
Checksums-Sha1:
745543c48447a810a97e6ef0035523128de46165 1716 rawdog_2.19-1.dsc
e889ac948f57c8dfdd57506d00365ef2ca96dfed 66231 rawdog_2.19.orig.tar.gz
aec1e82c9ada37f4e94ce48ff44aa6ebd6a54719 7908 rawdog_2.19-1.debian.tar.xz
57fd99837249e30bf2deb44c76570021e6a48dd3 51874 rawdog_2.19-1_all.deb
Checksums-Sha256:
1eeabd041ddfe7b8263eb3b345418fa05207670e26050bc75c7edc39d498fefb 1716
rawdog_2.19-1.dsc
fea40f673c334f8b0f21cac8c1498ae2130b7c2c79670c5d166bd5634e5313db 66231
rawdog_2.19.orig.tar.gz
186ce962ef39c87104154186f053318da0aebe6ef2d8e31e3617ff1f5c158c61 7908
rawdog_2.19-1.debian.tar.xz
50b2fa27bd4a01fe4dfd28fe8097d7a25811155476b267c8f977ff75fa373a07 51874
rawdog_2.19-1_all.deb
Files:
3dba2775a7fdeac820bbc34e25469605 1716 web optional rawdog_2.19-1.dsc
3652aeb10bc29139be2793747d00a1c6 66231 web optional rawdog_2.19.orig.tar.gz
c6d48a25c049ef849e2680c3821f22e0 7908 web optional rawdog_2.19-1.debian.tar.xz
c435e0233de8b6dfa9d0ab345b17564b 51874 web optional rawdog_2.19-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJS7u86AAoJEI7tzBuqHzL/PScQAOYB8tdDSaRe11eBgc6hsc4C
APsq6NJ4NUj8OoUmg1kXdz+QcHmQ+KQAUw+9aGLyKxCh3wYD6RergTVa8taoKSxd
2XsZHo1QHFlkI9uYRg5ibz6gBrmTxIyS4p4q7bymb5eelInARwR1G3nhWM9/Ou+v
+G4xbSBLkF8EX+HLMlnCgYLg3VeeBl/3WeZkPFp65Oe3Ts03g4OEsYR/hIAlwMJX
G7Yi41zsOtdTJJcCEX2IYf++Tkc9Nc7D+kUInPOZ5dHiCUjIVzIpqhKGuxyzNbTR
FFmqRBaXZeAAAbparLgxRLLEhF02aGktstL4kNkOQDSv5Y1arYVzHaA8oJO3phgk
BF7KEMKo+m2vf4ZYMruxNPvYnA6Mmknb7+QI9lyyi68qJRmwnyyJ13MkK5/TWEv6
03Ak/vM40dUATjrbX5NxN7my8oH6Bt+6E3qsseYuWnuox3UAOhJeN16wB1TAWWfk
1sHsCErWfxNi7hjyoP4PLdcgTuUxAPpxIu9K4k4NS0E4/tRm/yUoW/rU/G2SG9fp
e/NJFMolVqzaXzbKXJ/1QhvKRZ8J6VqW/FFy+fFUx/aaj1YIIdjocqazOLqAD3RS
HWd+T4kJ7RRm3gEzBIzzsPb0xxnglTmO3DbnPxlqJYVrWstEM+IbhdVceMlMDwZl
OZxKDbR63wo36/QL61g0
=S3bZ
-----END PGP SIGNATURE-----
--- End Message ---
