Bug#551938: w3c-libwww: CVE-2009-2625
tags 551938 wontfix patch severity 551938 normal thanks On Fri, Oct 23, 2009 at 06:48:21PM +0200, Moritz Muehlenhoff wrote: Well, I've already prepared new versions of the packages, although they are completely untested ATM, except that I had a look at them with debdiff/interdiff: http://atterer.net/libwww/ Please upload this for a oldstable point update. Please use distribution=oldstable and file a bug against release.debian.org (with reportbug from testing/unstable), so that the stable release managers can ack the upload. Hmm, since I haven't really tested the packages at all and you don't seem to think that the issue is important, I won't push for inclusion in a point update. Cheers, Richard -- __ , | ) /| Richard Atterer | \/ | http://atterer.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#551938: w3c-libwww: CVE-2009-2625
Richard Atterer wrote: Since CVE-2009-2625 doesn't allow code injection, but only DoS and given that libwww in oldstable is only used by wmweather, I think we can ignore it, unless Nico wants to work on an update? Well, I've already prepared new versions of the packages, although they are completely untested ATM, except that I had a look at them with debdiff/interdiff: http://atterer.net/libwww/ Please upload this for a oldstable point update. Please use distribution=oldstable and file a bug against release.debian.org (with reportbug from testing/unstable), so that the stable release managers can ack the upload. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#551938: w3c-libwww: CVE-2009-2625
Hello Mike, thanks for noticing that w3c-libwww ships a vulnerable local copy of expat! On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: hello, a security issue has been disclosed for expat. see [0], [1]. w3c-libwww embeds expat, so it is also affected. this affects all supported debian releases, so please coordinate with the security team to prepare DSAs. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. I want it removed from the archive because it is old and suffers from bitrot, see #440436. So I suggest the following: * Simply remove it from unstable, this should be possible with minor problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63 * Fix the problem in oldstable by applying the security patch to libwww's own copy of expat. Of course, eliminating the duplicate expat would be cleaner, but the effort is hardly justified at this point, or what do you think? The bugfix patch is here, it applies to libwww's expat copy: https://bugs.gentoo.org/attachment.cgi?id=201849 http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15r2=1.13 Cheers, Richard -- __ , | ) /| Richard Atterer | \/ | http://atterer.net signature.asc Description: Digital signature
Bug#551938: w3c-libwww: CVE-2009-2625
Hi, * Richard Atterer rich...@atterer.net [2009-10-22 15:34]: On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: hello, a security issue has been disclosed for expat. see [0], [1]. w3c-libwww embeds expat, so it is also affected. this affects all supported debian releases, so please coordinate with the security team to prepare DSAs. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. I want it removed from the archive because it is old and suffers from bitrot, see #440436. So I suggest the following: * Simply remove it from unstable, this should be possible with minor problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63 Yes sounds good to me. * Fix the problem in oldstable by applying the security patch to libwww's own copy of expat. Of course, eliminating the duplicate expat would be cleaner, but the effort is hardly justified at this point, or what do you think? The bugfix patch is here, it applies to libwww's expat copy: https://bugs.gentoo.org/attachment.cgi?id=201849 http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15r2=1.13 As the patch is rather unintrusive I'd say it is no big deal to fix that in the embedded copy for now. Of course I'd also welcome to remove the embedded code copy but in case you are not aware of similar issues existing in it the former should be fine. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgpS1HVK1KjuK.pgp Description: PGP signature
Bug#551938: w3c-libwww: CVE-2009-2625
On Thu, Oct 22, 2009 at 11:28:46AM +0200, Richard Atterer wrote: Hello Mike, thanks for noticing that w3c-libwww ships a vulnerable local copy of expat! On Wed, Oct 21, 2009 at 06:40:08PM -0400, Michael Gilbert wrote: hello, a security issue has been disclosed for expat. see [0], [1]. w3c-libwww embeds expat, so it is also affected. this affects all supported debian releases, so please coordinate with the security team to prepare DSAs. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 w3c-libwww is currently at 5.4.0-11 in oldstable and unstable. I want it removed from the archive because it is old and suffers from bitrot, see #440436. So I suggest the following: * Simply remove it from unstable, this should be possible with minor problems, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440436#63 But please proceed with the removal from unstable by filing a removal bug against ftp.debian.org. Amaya has been removed and the other users have been fixed. * Fix the problem in oldstable by applying the security patch to libwww's own copy of expat. Of course, eliminating the duplicate expat would be cleaner, but the effort is hardly justified at this point, or what do you think? The bugfix patch is here, it applies to libwww's expat copy: https://bugs.gentoo.org/attachment.cgi?id=201849 http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.15r2=1.13 Since CVE-2009-2625 doesn't allow code injection, but only DoS and given that libwww in oldstable is only used by wmweather, I think we can ignore it, unless Nico wants to work on an update? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#551938: w3c-libwww: CVE-2009-2625
On Thu, Oct 22, 2009 at 11:34:32PM +0200, Moritz Muehlenhoff wrote: But please proceed with the removal from unstable by filing a removal bug against ftp.debian.org. Amaya has been removed and the other users have been fixed. I've filed for removal: #552033 Since CVE-2009-2625 doesn't allow code injection, but only DoS and given that libwww in oldstable is only used by wmweather, I think we can ignore it, unless Nico wants to work on an update? Well, I've already prepared new versions of the packages, although they are completely untested ATM, except that I had a look at them with debdiff/interdiff: http://atterer.net/libwww/ Are you interested in using these? Cheers, Richard sha384sum: 518b5f248997eb31f3c0bc5e876b50fe2265d693c6686f2caec2c86d01f67a5b3d57459447fd73201df49048078bfd8b libwww0_5.4.0-11+etch1_amd64.deb 417eb401b507c1901941659a437b304d8bbc40da60c6bba2916842a109ab0b15c1fa95b3da5da9a3eec44135e06b96bc libwww-dev_5.4.0-11+etch1_amd64.deb 2064a45e8123d9eab51d7f20f9ec419fa692b8c87c95dd13f654c310ffa1068c6c0e03ff9910add9e32950efce10f25d libwww-ssl0_5.4.0-11+etch1_amd64.deb cf79bae0eb283237b50518b95e1c8755464036eaf3162557f7022f62cdab405ae47518623a03cbf5e918fba54c2d libwww-ssl-dev_5.4.0-11+etch1_amd64.deb ced1bb2f057754679d1447414882ef724a903745bc6d6b5d3b21de35ea30d13a70970974f44ad205c89caed41f5116b0 w3c-libwww_5.4.0-11+etch1_amd64.changes 0a720f95e35051033a469a05a20088c8c5ad109b41fea5e6e8a372c3d40881289160f90d1cbc68e1eda436b26f2cb3c1 w3c-libwww_5.4.0-11+etch1.diff.gz 06f0d46eef90ef111e8c9ba1269e62c64aa04df01c6be153b78c03f2cf7fd2407f9cef12488be98c27a7ea6132df1c0f w3c-libwww_5.4.0-11+etch1.dsc 0ea73901b7da23d403b43910f97e7ed7dff11d539811244136c5102dde67bee5aea10b2f5dd1ab16f898da8a65d65352 w3c-libwww_5.4.0.orig.tar.gz -- __ , | ) /| Richard Atterer | GnuPG key: 888354F7 | \/ | http://atterer.net | 08A9 7B7D 3D13 3EF2 3D25 D157 79E6 F6DC 8883 54F7 signature.asc Description: Digital signature
Bug#551938: w3c-libwww: CVE-2009-2625
On Fri, 23 Oct 2009 00:37:29 +0200 Richard Atterer wrote: On Thu, Oct 22, 2009 at 11:34:32PM +0200, Moritz Muehlenhoff wrote: But please proceed with the removal from unstable by filing a removal bug against ftp.debian.org. Amaya has been removed and the other users have been fixed. I've filed for removal: #552033 Since CVE-2009-2625 doesn't allow code injection, but only DoS and given that libwww in oldstable is only used by wmweather, I think we can ignore it, unless Nico wants to work on an update? Well, I've already prepared new versions of the packages, although they are completely untested ATM, except that I had a look at them with debdiff/interdiff: http://atterer.net/libwww/ Are you interested in using these? this is being tracked as a minor issue, so you can get this pushed into the next etch point release by filing a bug against release.debian.org. a DSA will not be issued. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#551938: w3c-libwww: CVE-2009-2625
package: w3c-libwww version: 5.4.0-11 severity: serious tags: security hello, a security issue has been disclosed for expat. see [0], [1]. w3c-libwww embeds expat, so it is also affected. this affects all supported debian releases, so please coordinate with the security team to prepare DSAs. mike [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 [1] https://bugs.gentoo.org/show_bug.cgi?id=280615 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org