Bug#888547: CVE-2017-1000190
Markus Koschany
apo at debian.org
Thu Aug 23 16:11:11 BST 2018
Am 23.08.2018 um 15:55 schrieb Emmanuel Bourg:
> On 23/08/2018 13:14, Markus Koschany wrote:
>> Apparently upstream doesn't consider this "to be their problem". Since
>> simple-xml has no reverse-dependencies and the current uploader is MIA,
>> I think we should consider requesting the removal of simple-xml.
>
> simple-xml is a dependency of carrotsearch-randomizedtesting.
>
> The fix should be trivial, it's just a matter of disabling external
> entities parsing on the underlying XML parser. And maybe we've already
> fixed the XML parser used by default.
My concern is that we have an upstream project that does not even
consider such a trivial fix. Then we have another example of a
fire-and-forget one time upload (simple-xml) and now the package is
carried "by the team". carrotsearch-randomizedtesting is a
test-dependency for lucence4.10 and spatial4j, same pattern, one time
upload, now carried by the team. And when I see that we ship at least
three versions of lucene in Debian, then I suppose we still have some
room for improvements.
The gist is: Better maintain few packages and do it well, instead of
maintaining many packages that just exist for collecting RC bugs.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20180823/7c0a8015/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list