Summary: | <dev-python/feedparser-5.0.1: Multiple vulnerabilities (CVE-2011-{1156,1157,1158}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://code.google.com/p/feedparser/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 359819 | ||
Bug Blocks: |
Description
Tim Sammut (RETIRED)
2011-03-15 04:06:18 UTC
Maintainer timeout (short because it's a security issue), let's add arches. Arches, please stabilize =dev-python/feedparser-5.0.1 ppc/ppc64 stable amd64 done I tested on x86 and found a failing test, if libsoup is installed. Bug 359819 This seems to be a regression. Added as a dependency, will wait a bit before stabeling. dev-python/feedparser-4.1 doesn't have any tests, so test failures in newer versions are not a regression. Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/03/15/11. > > * Fix issue 91 (invalid text in XML declaration causes sanitizer to > > crash) https://code.google.com/p/feedparser/issues/detail?id=91 Use CVE-2011-1156 > > * Fix issue 254 (sanitization can be bypassed by malformed XML > > comments) https://code.google.com/p/feedparser/issues/detail?id=254 Use CVE-2011-1157 > > * Fix issue 255 (sanitizer doesn't strip unsafe URI schemes) https://code.google.com/p/feedparser/issues/detail?id=255 Use CVE-2011-1158 Oh yeah the good old it's not a regression train. Great. It's still bad, you know... x86 stable. Stable on alpha. ia64/sparc stable Thanks, folks. GLSA Vote: no. CVE-2011-1158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1158): Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI. CVE-2011-1157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1157): Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments. CVE-2011-1156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1156): feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration. voting no too, and closing. |