Hi, * Richard Atterer <rich...@atterer.net> [2009-10-22 15:34]: > On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: > > hello, a security issue has been disclosed for expat. see [0], [1]. > > w3c-libwww embeds expat, so it is also affected. this affects all > > supported debian releases, so please coordinate with the security team > > to prepare DSAs. > > > > mike > > > > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 > > [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 > > w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. > > I want it removed from the archive because it is old and suffers from > bitrot, see #440436. > > So I suggest the following: > > * Simply remove it from unstable, this should be possible with minor > problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63
Yes sounds good to me. > * Fix the problem in oldstable by applying the security patch to libwww's > own copy of expat. Of course, eliminating the duplicate expat would be > cleaner, but the effort is hardly justified at this point, or what do you > think? > > The bugfix patch is here, it applies to libwww's expat copy: > https://bugs.gentoo.org/attachment.cgi?id=201849 > http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15&r2=1.13 As the patch is rather unintrusive I'd say it is no big deal to fix that in the embedded copy for now. Of course I'd also welcome to remove the embedded code copy but in case you are not aware of similar issues existing in it the former should be fine. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpS1HVK1KjuK.pgp
Description: PGP signature
