From debian bugzilla at $URL: Description: A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code execution with the privileges of the user running the application. Solution: There is a proposed patch: https://bugzilla.redhat.com/attachment.cgi?id=537196
CVE-2011-4357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4357): Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.
This is fixed upstream in http://code.google.com/p/clearsilver/source/detail?r=919 but there has been no release since then. Recommended to patch using the provided patch in comment 0 / upstream patch.
still no movement on a patch or release from upstream. candidate for tree cleaning with no rdeps.
# Aaron Bauman <bman@gentoo.org> (05 Mar 2016) # Per security bug #392325 this package is vulnerable # and unmaintained. Removal in 30 days. dev-libs/clearsilver
Removed: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=904ee299793b9560dec0696f25708cfaa6ef92aa