Your message dated Wed, 27 Oct 2010 17:05:12 +0200
with message-id <1288191912.8043.186.ca...@bohrium.pps.jussieu.fr>
and subject line Re: severity of 601053 is grave
has caused the Debian Bug report #601053,
regarding mcabber uses a vulnerable and embedded version of the expat library
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
601053: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601053
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mcabber
Version: 0.9.7-0.1
Severity: important
Tags: security
Mcabber uses an embedded and vulnerable version of the expat library for XML
parsing. At a minimum,
http://security-tracker.debian.org/tracker/CVE-2009-3720 is present from
having a quick review of the relevant source. I have not investigated the
impact of this vulnerability or how it would be triggered. I imagine the
impact is quite low because the outstanding vulnerabilities in expat are
denial of services. The desired outcome is that mcabber dynamically link
against the system expat library instead of linking in the embedded copy.
--- End Message ---
--- Begin Message ---
Version: 0.10.0-1
mcabber now depends on libloudmouth and does not ship an embedded
version of expat anymore.
--- End Message ---
