Hello Mike, thanks for noticing that w3c-libwww ships a vulnerable local copy of expat!
On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: > hello, a security issue has been disclosed for expat. see [0], [1]. > w3c-libwww embeds expat, so it is also affected. this affects all > supported debian releases, so please coordinate with the security team > to prepare DSAs. > > mike > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 > [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. I want it removed from the archive because it is old and suffers from bitrot, see #440436. So I suggest the following: * Simply remove it from unstable, this should be possible with minor problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63 * Fix the problem in oldstable by applying the security patch to libwww's own copy of expat. Of course, eliminating the duplicate expat would be cleaner, but the effort is hardly justified at this point, or what do you think? The bugfix patch is here, it applies to libwww's expat copy: https://bugs.gentoo.org/attachment.cgi?id=201849 http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 Cheers, Richard -- __ , | ) /| Richard Atterer | \/ | http://atterer.net
signature.asc
Description: Digital signature
