Debian Bug report logs -
#674167
CVE-2012-2921
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 23 May 2012 14:48:01 UTC
Severity: grave
Tags: security
Fixed in version feedparser/5.1.2-1
Done: Carlos Galisteo <cgalisteo@k-rolus.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>:
Bug#674167; Package python-feedparser.
(Wed, 23 May 2012 14:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>.
(Wed, 23 May 2012 14:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-feedparser
Severity: grave
Tags: security
Please see http://freecode.com/projects/feedparser/releases/344371:
> This is a security and bugfix release. Dangerous XML entities were not being stripped
> from documents if the document was not in an ASCII-compatible character encoding.
> This release fixes that.
Can you check, whethe stable is affected?
This seems to be the fix:
https://code.google.com/p/feedparser/source/detail?r=703&path=/trunk/feedparser/feedparser.py
Cheers,
Moritz
Reply sent
to Carlos Galisteo <cgalisteo@k-rolus.net>:
You have taken responsibility.
(Tue, 29 May 2012 22:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Tue, 29 May 2012 22:06:08 GMT) (full text, mbox, link).
Message #10 received at 674167-close@bugs.debian.org (full text, mbox, reply):
Source: feedparser
Source-Version: 5.1.2-1
We believe that the bug you reported is fixed in the latest version of
feedparser, which is due to be installed in the Debian FTP archive:
feedparser_5.1.2-1.debian.tar.gz
to main/f/feedparser/feedparser_5.1.2-1.debian.tar.gz
feedparser_5.1.2-1.dsc
to main/f/feedparser/feedparser_5.1.2-1.dsc
feedparser_5.1.2.orig.tar.gz
to main/f/feedparser/feedparser_5.1.2.orig.tar.gz
python-feedparser_5.1.2-1_all.deb
to main/f/feedparser/python-feedparser_5.1.2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 674167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carlos Galisteo <cgalisteo@k-rolus.net> (supplier of updated feedparser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 29 May 2012 09:54:36 +0200
Source: feedparser
Binary: python-feedparser
Architecture: source all
Version: 5.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Carlos Galisteo <cgalisteo@k-rolus.net>
Changed-By: Carlos Galisteo <cgalisteo@k-rolus.net>
Description:
python-feedparser - Universal Feed Parser for Python
Closes: 646718 649855 674167
Changes:
feedparser (5.1.2-1) unstable; urgency=high
.
* New upstream release. (Closes: #674167)
* debian/control
- Homepage updated. (Closes: #649855)
- Standards-Version updated to 3.9.3.1
* debian/watch fixed.
* debian/rules
- Migrated to dh_python2. (Closes: #646718)
- lintian debian-rules-missing-recommended-target warning fixed
Checksums-Sha1:
0f8a687cd8903916a7bc374eb26cc2e55176a652 2037 feedparser_5.1.2-1.dsc
ee7cd63804c2e52f5f9a3e5802cd8e7ef966a6e9 284562 feedparser_5.1.2.orig.tar.gz
5019a8d5bea3d81bb5065055550c2b247c8be2ca 4297 feedparser_5.1.2-1.debian.tar.gz
4e7e48d28ff44a9c31d5a316113ede93016136b6 61966 python-feedparser_5.1.2-1_all.deb
Checksums-Sha256:
bc4852c3fb6f77d850e131f8eec5a00a25d976d3227cee408401a6de278eca0a 2037 feedparser_5.1.2-1.dsc
183ddcf94b11648e710ef45ef8124386e315704a0247b073d375c7dd39b4cb7f 284562 feedparser_5.1.2.orig.tar.gz
c98e8a1a30266cac4dabd6ec13f82bdae00110732713d9f175c67747a42a2fe4 4297 feedparser_5.1.2-1.debian.tar.gz
c9fcb50db28b25d3c3c7e6f1d40e973942aa0e96e1316342b576c349c471dd49 61966 python-feedparser_5.1.2-1_all.deb
Files:
0a6621a20d97f03b15584d69dc5d0486 2037 python optional feedparser_5.1.2-1.dsc
575e76c64ec61016a83a015c65110606 284562 python optional feedparser_5.1.2.orig.tar.gz
d1b4ab92e723db65312316c2f5814933 4297 python optional feedparser_5.1.2-1.debian.tar.gz
19185934ca2f2019c0b6c2f6d7c68d79 61966 python optional python-feedparser_5.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJPxUAwAAoJEK728aKnRXZFGVIQALB9EB1h40d9UhiR+FBKx5ev
X4hQAjPTelJawOzm7R+8cryVN9sg1qiVTinpjAcct1Q4y2tSHyiL46KruYWPcDSZ
zSIcNjwMj8A7imu2+uNxAjOlmCTrdioQbyeyi1hn+OH+w5zUvLUFX36elQQMEW/I
o9QWAjT2WpGd9xc8yKYfAOXhA9ChYc4LYuGYAKXAykEmUS+Gjw5cG3X/wbTQuBqX
ZWKg3vyM9/JeByugYdtSijntumKROdAEkeNulPacyM7kzej7vIUvwYjOAU3JFsDp
np5mXNU9m1lBwViVYAHFgkKTr0CLTXEx1h096If0o/lsvdtelI2c8iqFrAptDQxV
dqJz88h5ySK0O5aHKWcOwUBQjO/q0hKaIizLuUaSjrv7DuDue+Nr1zfd/B/mb1bu
aGkx0/c1ck2Qo5x0zlxxYX0XuPBI5HSu27dz0GQmUrkRGd5XF+HmDLZi6x4uRrMI
+Fe3wD8xdtZibFRz2BI1vE+FAGsS1P/NLTVoM3mOdlXg2E17+IujjrwL3O08ws7f
nr834dBkrgkhQ160k2FVboElocUhNPnRUx2tUxT0HHNMt0Tj8BpplAd/z5jwHrxR
3RvJzBHeUC+aEGUpbxR99vAkq4y3U8VetnhJyrUnJTYIET6/owZtAgFY2cr/BhYS
VNCgoy5cB9F4XsGl/vxz
=ltbS
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>:
Bug#674167; Package python-feedparser.
(Fri, 18 Jan 2013 05:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Carlos Galisteo <cgalisteo@k-rolus.net>.
(Fri, 18 Jan 2013 05:06:06 GMT) (full text, mbox, link).
Message #15 received at 674167@bugs.debian.org (full text, mbox, reply):
Package: python-feedparser
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/674167/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:11:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon