[Python-modules-team] CVE 2014-3242 & 3243 - SOAPPy
Yves-Alexis Perez
corsac at debian.org
Thu Jun 19 08:08:20 UTC 2014
On jeu., 2014-06-19 at 03:49 +0000, Nick Phillips wrote:
> While checking our procedures for tracking vulnerabilities in
> non-Debian-provided packages, I noticed that python-soappy in wheezy has
> a couple of outstanding vulns.
I guess you mean CVE-2014-3242 and CVE-2014-3243? Since they are
public, discussion can (and should) open on the BTS, feel free to open
a bug there (and tag it security).
> I had a brief chat to Adam Barratt (SRM) about this on IRC as well, and
> while not keen, he did seem willing to give the possibility the time of
> day at least. He suggested filing a p-u bug with the relevant
> information, but I thought I'd mail you guys first to see whether you'd
> be inclined to agree with the solution and that doing so wouldn't be
> treading on any toes.
Hi, and thanks for the notice. Indeed, adding a new package to Wheezy
doesn't look really good, but if it's actually the only option and the
SRM are somehow ok with that, I guess we can go that road.
>
> DPMT guys - there's no big deal with this for sid, as defusedxml is
> already available. Happy to NMU latest SOAPPy from pypi if desired. Or,
> since I already have fixed packages here, I can equally happily STFU and
> leave you all alone.
Well, for sid you can just proceed with standard NMU practices, I guess.
For Wheezy, we would need to wait for the new package to appear anyway.
For Squeeze, we should just mark the package as unsupported.
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20140619/55342928/attachment.sig>
More information about the Python-modules-team
mailing list