Debian Bug report logs -
#617998
python-feedparser: please update feedparser, it hasn't been updated in a _long_ time
Reported by: david b <db.pub.mail@gmail.com>
Date: Sun, 13 Mar 2011 09:45:06 UTC
Severity: grave
Tags: security
Found in version feedparser/4.1-14
Fixed in version feedparser/5.0.1-1
Done: Carlos Galisteo <cgalisteo@k-rolus.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>:
Bug#617998; Package python-feedparser.
(Sun, 13 Mar 2011 09:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to david b <db.pub.mail@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>.
(Sun, 13 Mar 2011 09:45:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-feedparser
Version: 4.1-14
Severity: grave
Tags: security
Justification: user security hole
Please update the version of python-feedparser found in debian to something recent:
The following bugs will then be fixed:
1. Issue 195: XSS vulnerability in feedparser http://code.google.com/p/feedparser/issues/detail?id=195&can=1&start=100
2. Issue 255: html sanitizer doesn't strip unsafe uri schemes http://code.google.com/p/feedparser/issues/detail?id=255&can=1&start=200
3. Issue 254: html sanitisation can be bypassed with malformed comments http://code.google.com/p/feedparser/issues/detail?id=254&can=1&start=200
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.37.3 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-feedparser depends on:
ii python 2.6.6-3+squeeze5 interactive high-level object-orie
ii python-support 1.0.10 automated rebuilding support for P
Versions of packages python-feedparser recommends:
pn python-chardet <none> (no description available)
pn python-libxml2 <none> (no description available)
pn python-utidylib <none> (no description available)
python-feedparser suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#617998; Package python-feedparser.
(Fri, 18 Mar 2011 09:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Carlos Galisteo <cgalisteo@k-rolus.net>:
Extra info received and forwarded to list.
(Fri, 18 Mar 2011 09:21:03 GMT) (full text, mbox, link).
Message #10 received at 617998@bugs.debian.org (full text, mbox, reply):
I'm already working in the new release. It'll be ready in a couple days.
Thanks.
--
---
Carlos Galisteo <cgalisteo AT k-rolus.net>
GPG key :0x8E0076E9:
Fingerprint: 939E 3D10 EAA2 A972 3AF2 E25C 26B7 D8E3 8E00 76E9
---
Information forwarded
to debian-bugs-dist@lists.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>:
Bug#617998; Package python-feedparser.
(Mon, 21 Mar 2011 16:18:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Carlos Galisteo <cgalisteo@k-rolus.net>.
(Mon, 21 Mar 2011 16:18:12 GMT) (full text, mbox, link).
Message #15 received at 617998@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sun, Mar 13, 2011 at 08:43:51PM +1100, david b wrote:
> Please update the version of python-feedparser found in debian to something recent:
CVE IDs have been allocated for these issues and one more:
CVE-2011-1158 [sanitizer doesn't strip unsafe URI schemes]
https://code.google.com/p/feedparser/issues/detail?id=255
CVE-2011-1157 [sanitization can be bypassed by malformed XML comments]
https://code.google.com/p/feedparser/issues/detail?id=254
CVE-2011-1156 [invalid text in XML declaration causes sanitizer to crash]
https://code.google.com/p/feedparser/issues/detail?id=91
CVE-2011-XXXX [XSS vuln] (cve pending)
http://code.google.com/p/feedparser/issues/detail?id=195
Please mention these identifiers in the changelog when you upload a new
package fixing them. It would be great to have them backported to stable
and oldstable too (I'll help you with this if you need some pointers).
Thanks,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Carlos Galisteo <cgalisteo@k-rolus.net>:
You have taken responsibility.
(Mon, 04 Apr 2011 21:51:11 GMT) (full text, mbox, link).
Notification sent
to david b <db.pub.mail@gmail.com>:
Bug acknowledged by developer.
(Mon, 04 Apr 2011 21:51:11 GMT) (full text, mbox, link).
Message #20 received at 617998-close@bugs.debian.org (full text, mbox, reply):
Source: feedparser
Source-Version: 5.0.1-1
We believe that the bug you reported is fixed in the latest version of
feedparser, which is due to be installed in the Debian FTP archive:
feedparser_5.0.1-1.debian.tar.gz
to main/f/feedparser/feedparser_5.0.1-1.debian.tar.gz
feedparser_5.0.1-1.dsc
to main/f/feedparser/feedparser_5.0.1-1.dsc
feedparser_5.0.1.orig.tar.gz
to main/f/feedparser/feedparser_5.0.1.orig.tar.gz
python-feedparser_5.0.1-1_all.deb
to main/f/feedparser/python-feedparser_5.0.1-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 617998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carlos Galisteo <cgalisteo@k-rolus.net> (supplier of updated feedparser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Mar 2011 20:25:50 +0200
Source: feedparser
Binary: python-feedparser
Architecture: source all
Version: 5.0.1-1
Distribution: unstable
Urgency: low
Maintainer: Carlos Galisteo <cgalisteo@k-rolus.net>
Changed-By: Carlos Galisteo <cgalisteo@k-rolus.net>
Description:
python-feedparser - Universal Feed Parser for Python
Closes: 482775 617998
Changes:
feedparser (5.0.1-1) unstable; urgency=low
.
[ Carlos Galisteo ]
* New upstream release. (Closes: #617998) (Closes: #482775)
* Switch to dpkg-source 3.0 (quilt) format
* Removed patch add-etag-only-if-etag-header-present.patch (fixed in 5.0)
* Removed patch doc_css_path.diff (fixed in 5.0)
* Removed patch auth_handlers_not_working.patch (fixed in 5.0).
* Removed patch feedparser_utf8_decoding.patch (fixed in 5.0).
* Removed patch democracynow_feedparser_fix.patch (fixed in 5.0).
* Removed patch title_override.patch (fixed in 5.0).
* Removed patch doc_css_path.diff (fixed in 5.0).
* Fixes CVE-2011-1156
* Fixes CVE-2011-1157
* Fixes CVE-2011-1158
* debian/control
- Standards-Version updated to 3.9.1
- Binary package depends on ${misc:Depends}
- Build-depends on python instead of python-dev as lintian suggested.
* debian/watch
- watch file looks for *.tar.gz rather than .zip
* Headers added to patches
.
[ Jakub Wilk ]
* debian/rules:
- Include /usr/share/python/python.mk only if it exists.
Checksums-Sha1:
ad18af648be268c3f467002e3df4d2478f59886f 1975 feedparser_5.0.1-1.dsc
11631d41c9782b92afd533b8a3aa3ea0ceaa1ef1 313356 feedparser_5.0.1.orig.tar.gz
f3aa86d7f2c80653d878cdcf0794c9201f889152 4240 feedparser_5.0.1-1.debian.tar.gz
026a7207a76c9acced55246e56c097311ee8fbad 47944 python-feedparser_5.0.1-1_all.deb
Checksums-Sha256:
fc8e63ea05c357948685b96bc3d777614dde214839437dadc1531ea6d6893f25 1975 feedparser_5.0.1-1.dsc
93220258a661af241a5695171fdf09b4cb39234e2edb8bc0d8ef6e5173501027 313356 feedparser_5.0.1.orig.tar.gz
c103ec64eb49f242580a0d1c10665e800f4065d484266d0e722f476d97e4a0d6 4240 feedparser_5.0.1-1.debian.tar.gz
15779efa6ca249c66d6c3c961c01a8746fe1fe5a30891d119219e1cb85f0a6ce 47944 python-feedparser_5.0.1-1_all.deb
Files:
b115224dddc98e653f9be57153e6600c 1975 python optional feedparser_5.0.1-1.dsc
0dfd4ad6e1059ba8df3b6eebc60eef59 313356 python optional feedparser_5.0.1.orig.tar.gz
e25d1a2d38e1a1ad5e646ab2eb6a4ab4 4240 python optional feedparser_5.0.1-1.debian.tar.gz
22101f6a1b6665e03e8677515de660fd 47944 python optional python-feedparser_5.0.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNmheTAAoJEK728aKnRXZFll0QAJJbRyXg3NH/BkJbhTXayb8V
3/XOuuSj6Fq7FCk8Thn9ERvYjjDhRD83AkUZRcb6GsQEoIuteEdN1Zklw9UjMe2c
wUbHKyAx8Uuphe503jPJQ7xdIvROKnrm+8dEuuCC3fi5vqUmvkO4r97VsrGCOa/0
kM282afZPwu88Ju56UfPq88lYFGTeYDGbpu77u5SA7MSnudTYoGgYIFRH5EV7xaE
3zZtOjobfoMYYN6cK1LYWMKdudPCGBy38iZbOQddrD2tcdD+AFh4P+r6itsisDrq
dFXKHlJ/dfF81NqKFO0DNpJ3H9th+PDOzaMdicP+iPG083VjcIcdgXxCGSPFvr2j
x2KBc9Y99BGxPUKfYY8wuZ7EYYlUEpq5cpo3nbVDQwtPoAoL/YBYylWOJjIA4UiE
I3aQmDt8wVJnWlfPRHRq0b4nf8tpoQQJdd2tzfUn0bEk7JUvBHHX+P04IR0/8wKp
POCA6dJ9uaGHJ4xtfgF861eFcbGBVOl9SZcRUNZ3vTIBxdQEgqxWblokzxquJ3u2
cHSk+5U/nlnq57nTY6LSd04LtVxjsbNlkjrrnIJH/UfCeDQidlGq6fkwaZRNad+z
rLec3+ifLCNNdsAO7LcOc2kJaq/EKbj4LLfSJ7fMFMrToIV+Rn8R4owwDL1Vm6Ty
YyCccnj3uTnJMATqoDkr
=JedZ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Carlos Galisteo <cgalisteo@k-rolus.net>:
Bug#617998; Package python-feedparser.
(Wed, 06 Jul 2011 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Carlos Galisteo <cgalisteo@k-rolus.net>.
(Wed, 06 Jul 2011 18:57:03 GMT) (full text, mbox, link).
Message #25 received at 617998@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.2)
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.
For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].
0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 08:06:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:24:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon