[Secure-testing-commits] r50851 - in data: . CVE

Thu, 20 Apr 2017 07:17:31 -0700 

Author: hertzog
Date: 2017-04-20 14:17:08 +0000 (Thu, 20 Apr 2017)
New Revision: 50851

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Demote CVE-2016-9180 to no-dsa on wheezy too

Upstream is completely unresponsive on this issue but another solution
to the same problem exists in versions >= 3.50 with the undocumented no_xxe 
flag.

We could backport the no_xxe flag but it would be unreasonable to modify
reverse dependencies to ensure that they are using it. Since the impact
is very low, we will just ignore the issue and hope that the situation
will improve upstream at some point.

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-04-20 14:03:58 UTC (rev 50850)
+++ data/CVE/list       2017-04-20 14:17:08 UTC (rev 50851)
@@ -22662,6 +22662,7 @@
 CVE-2016-9180 (perl-XML-Twig: The option to `expand_external_ents`, documented 
as ...)
        - libxml-twig-perl <unfixed> (bug #842893)
        [jessie] - libxml-twig-perl <no-dsa> (Minor issue; can be fixed via 
point release)
+       [wheezy] - libxml-twig-perl <no-dsa> (Minor issue, new flag would 
require changes to applications too, not worth the effort)
        NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118097
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1379553
        NOTE: http://www.openwall.com/lists/oss-security/2016/11/02/1

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-04-20 14:03:58 UTC (rev 50850)
+++ data/dla-needed.txt 2017-04-20 14:17:08 UTC (rev 50851)
@@ -57,12 +57,6 @@
 libvpx (Emilio Pozuelo)
   NOTE: The CVEs needs further triaging.
 --
-libxml-twig-perl
-  NOTE: no upstream fix yet (as of 2017-02-28) for expand_external_ents
-  NOTE: but new no_xxe flag in 3.50 that could be backported
-  NOTE: 2016-12-13: Upstream ping here: 
https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223
-  NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael 
Hertzog
---
 libxslt (Emilio Pozuelo)
   NOTE: it's not clear whether libxslt (the library) should call srand() 
itself.
   NOTE: xsltproc 1.1.29 has a --seed-rand option, but that's not present in 
wheezy,


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to