The feedparser homepage at $URL indicates that 5.0.1 includes three security fixes. Current release: 5.0.1 - February 20, 2011 * Fix issue 91 (invalid text in XML declaration causes sanitizer to crash) * Fix issue 254 (sanitization can be bypassed by malformed XML comments) * Fix issue 255 (sanitizer doesn't strip unsafe URI schemes) @python, 5.0.1 is already in the tree; thank you. Is it an appropriate target for stabilization?
Maintainer timeout (short because it's a security issue), let's add arches. Arches, please stabilize =dev-python/feedparser-5.0.1
ppc/ppc64 stable
amd64 done
I tested on x86 and found a failing test, if libsoup is installed. Bug 359819 This seems to be a regression.
Added as a dependency, will wait a bit before stabeling.
dev-python/feedparser-4.1 doesn't have any tests, so test failures in newer versions are not a regression.
Adding CVE assignment per http://www.openwall.com/lists/oss-security/2011/03/15/11. > > * Fix issue 91 (invalid text in XML declaration causes sanitizer to > > crash) https://code.google.com/p/feedparser/issues/detail?id=91 Use CVE-2011-1156 > > * Fix issue 254 (sanitization can be bypassed by malformed XML > > comments) https://code.google.com/p/feedparser/issues/detail?id=254 Use CVE-2011-1157 > > * Fix issue 255 (sanitizer doesn't strip unsafe URI schemes) https://code.google.com/p/feedparser/issues/detail?id=255 Use CVE-2011-1158
Oh yeah the good old it's not a regression train. Great. It's still bad, you know... x86 stable.
Stable on alpha.
ia64/sparc stable
Thanks, folks. GLSA Vote: no.
CVE-2011-1158 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1158): Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI. CVE-2011-1157 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1157): Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments. CVE-2011-1156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1156): feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration.
voting no too, and closing.