Guido Günther <a...@sigxcpu.org> writes: > Thanks for having a look! I've added twisted-web to dla-needed.txt as > well (Salvatore already updated data/CVE/list).
My conclusions (for wheezy-security) are that: * Neither twisted or twisted-web actually have a vulnerability. * It is possible applications that depend on twisted or twisted-web do have this vulnerability, however I do not consider it worthwhile use of my time trying to check or test each dependancy to find out. * Upstream chose to mitigate this by removing the twcgi file, required for CGI support. * The CGI support is required for non-python languages, such as PHP/Perl/CGI. * If nothing using this CGI interface we are not vulnerable, there is no need to make any changes. * If something does use this CGI interface, and we haven't removed this code, we are vulnerable. Vulnerable to a "minor" security threat. * If something does use this CGI interface, and we have remove this code, we not not vulnerable because the application is now (most likely) completely broken. Note: this code that uses CGI may not be in the Debian archive. It could be installed locally or created locally. As such, I tend to feel the risks of removing this code exceed the risks of not removing it. I am going to do the same thing as the security team and mark this as no-dsa. -- Brian May <b...@debian.org>