[Secure-testing-commits] r50851 - in data: . CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Thu Apr 20 14:17:08 UTC 2017 

Author: hertzog
Date: 2017-04-20 14:17:08 +0000 (Thu, 20 Apr 2017)
New Revision: 50851

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Demote CVE-2016-9180 to no-dsa on wheezy too

Upstream is completely unresponsive on this issue but another solution
to the same problem exists in versions >= 3.50 with the undocumented no_xxe flag.

We could backport the no_xxe flag but it would be unreasonable to modify
reverse dependencies to ensure that they are using it. Since the impact
is very low, we will just ignore the issue and hope that the situation
will improve upstream at some point.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-04-20 14:03:58 UTC (rev 50850)
+++ data/CVE/list	2017-04-20 14:17:08 UTC (rev 50851)
@@ -22662,6 +22662,7 @@
 CVE-2016-9180 (perl-XML-Twig: The option to `expand_external_ents`, documented as ...)
 	- libxml-twig-perl <unfixed> (bug #842893)
 	[jessie] - libxml-twig-perl <no-dsa> (Minor issue; can be fixed via point release)
+	[wheezy] - libxml-twig-perl <no-dsa> (Minor issue, new flag would require changes to applications too, not worth the effort)
 	NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=118097
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1379553
 	NOTE: http://www.openwall.com/lists/oss-security/2016/11/02/1

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-04-20 14:03:58 UTC (rev 50850)
+++ data/dla-needed.txt	2017-04-20 14:17:08 UTC (rev 50851)
@@ -57,12 +57,6 @@
 libvpx (Emilio Pozuelo)
   NOTE: The CVEs needs further triaging.
 --
-libxml-twig-perl
-  NOTE: no upstream fix yet (as of 2017-02-28) for expand_external_ents
-  NOTE: but new no_xxe flag in 3.50 that could be backported
-  NOTE: 2016-12-13: Upstream ping here: https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223
-  NOTE: 2017-01-20 and 2017-03-09: Ping upstream by private email -- Raphael Hertzog
---
 libxslt (Emilio Pozuelo)
   NOTE: it's not clear whether libxslt (the library) should call srand() itself.
   NOTE: xsltproc 1.1.29 has a --seed-rand option, but that's not present in wheezy,

More information about the Secure-testing-commits mailing list