Bug#888547: CVE-2017-1000190
Hi, On Sun, Apr 14, 2019 at 11:57:26PM +0200, Emmanuel Bourg wrote: > Le 14/04/2019 à 23:27, Markus Koschany a écrit : > > > Simple-xml is only required to build carrotsearch-randomizedtesting. It > > is not a test-dependency though. > > > Apparently the removal makes no difference for lucene4.10. > > Indeed, because carrotsearch-randomizedtesting is just a test dependency > of lucene4.10. Thanks for the changes allowing simple-xml to be removed. I added a removal hint so simple-xml should be out of testing soon. Ivo
Bug#888547: CVE-2017-1000190
Le 14/04/2019 à 23:27, Markus Koschany a écrit : > Simple-xml is only required to build carrotsearch-randomizedtesting. It > is not a test-dependency though. > Apparently the removal makes no difference for lucene4.10. Indeed, because carrotsearch-randomizedtesting is just a test dependency of lucene4.10. Emmanuel Bourg
Bug#888547: CVE-2017-1000190
Hi, Am 13.04.19 um 11:31 schrieb Ivo De Decker: [...] > It is possible to remove the test-dependency (probably by disabling the > tests)? That way simple-xml could be removed from buster. Even if we don't do > this for buster, it might be good to do this for bullseye anyway, if the > package isn't really maintained. Simple-xml is only required to build carrotsearch-randomizedtesting. It is not a test-dependency though. However I have just disabled the only module in carrotsearch-randomizedtesting that uses simple-xml, which is junit4-ant. If we do that then lucene4.10 will FTBFS but it requires only a simple patch to tell the build system not to look for the now missing junit4-ant dependency. Apparently the removal makes no difference for lucene4.10. I can implement those changes in the coming days. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#888547: CVE-2017-1000190
Hi, On Fri, Aug 24, 2018 at 01:18:09AM +0200, Emmanuel Bourg wrote: > On 23/08/2018 17:11, Markus Koschany wrote: > > > My concern is that we have an upstream project that does not even > > consider such a trivial fix. Then we have another example of a > > fire-and-forget one time upload (simple-xml) and now the package is > > carried "by the team". carrotsearch-randomizedtesting is a > > test-dependency for lucence4.10 and spatial4j, same pattern, one time > > upload, now carried by the team. And when I see that we ship at least > > three versions of lucene in Debian, then I suppose we still have some > > room for improvements. > > lucene2 is only used by eclipse, I hope we'll be able to remove both of > them before Buster is released. With the new eclipse-* packages heading > to unstable this is now a likely outcome. > > > > The gist is: Better maintain few packages and do it well, instead of > > maintaining many packages that just exist for collecting RC bugs. > > I agree. Not all CVEs are equally important though, here simple-xml is > just a test dependency of another package and has a very low popcon, the > vulnerability has no real impact on the Debian users. It is possible to remove the test-dependency (probably by disabling the tests)? That way simple-xml could be removed from buster. Even if we don't do this for buster, it might be good to do this for bullseye anyway, if the package isn't really maintained. Thanks, Ivo
Bug#888547: CVE-2017-1000190
On 23/08/2018 17:11, Markus Koschany wrote: > My concern is that we have an upstream project that does not even > consider such a trivial fix. Then we have another example of a > fire-and-forget one time upload (simple-xml) and now the package is > carried "by the team". carrotsearch-randomizedtesting is a > test-dependency for lucence4.10 and spatial4j, same pattern, one time > upload, now carried by the team. And when I see that we ship at least > three versions of lucene in Debian, then I suppose we still have some > room for improvements. lucene2 is only used by eclipse, I hope we'll be able to remove both of them before Buster is released. With the new eclipse-* packages heading to unstable this is now a likely outcome. > The gist is: Better maintain few packages and do it well, instead of > maintaining many packages that just exist for collecting RC bugs. I agree. Not all CVEs are equally important though, here simple-xml is just a test dependency of another package and has a very low popcon, the vulnerability has no real impact on the Debian users. Emmanuel Bourg
Bug#888547: CVE-2017-1000190
Am 23.08.2018 um 15:55 schrieb Emmanuel Bourg: > On 23/08/2018 13:14, Markus Koschany wrote: >> Apparently upstream doesn't consider this "to be their problem". Since >> simple-xml has no reverse-dependencies and the current uploader is MIA, >> I think we should consider requesting the removal of simple-xml. > > simple-xml is a dependency of carrotsearch-randomizedtesting. > > The fix should be trivial, it's just a matter of disabling external > entities parsing on the underlying XML parser. And maybe we've already > fixed the XML parser used by default. My concern is that we have an upstream project that does not even consider such a trivial fix. Then we have another example of a fire-and-forget one time upload (simple-xml) and now the package is carried "by the team". carrotsearch-randomizedtesting is a test-dependency for lucence4.10 and spatial4j, same pattern, one time upload, now carried by the team. And when I see that we ship at least three versions of lucene in Debian, then I suppose we still have some room for improvements. The gist is: Better maintain few packages and do it well, instead of maintaining many packages that just exist for collecting RC bugs. Markus signature.asc Description: OpenPGP digital signature
Bug#888547: CVE-2017-1000190
On 23/08/2018 13:14, Markus Koschany wrote: > Apparently upstream doesn't consider this "to be their problem". Since > simple-xml has no reverse-dependencies and the current uploader is MIA, > I think we should consider requesting the removal of simple-xml. simple-xml is a dependency of carrotsearch-randomizedtesting. The fix should be trivial, it's just a matter of disabling external entities parsing on the underlying XML parser. And maybe we've already fixed the XML parser used by default. Emmanuel Bourg
Bug#888547: CVE-2017-1000190
Apparently upstream doesn't consider this "to be their problem". Since simple-xml has no reverse-dependencies and the current uploader is MIA, I think we should consider requesting the removal of simple-xml. Markus signature.asc Description: OpenPGP digital signature
