Your message dated Sat, 4 Oct 2008 22:13:01 -0400 with message-id <[EMAIL PROTECTED]> and subject line This is not abug has caused the Debian Bug report #498671, regarding Is libxml-rsslite really suitable for stable? to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 498671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498671 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: libxml-rsslite-perl Version: 0.11-3 Severity: serious File: /usr/share/perl5/XML/RSSLite.pm -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (1) It seems abandoned upstream — the last update is Feb 2003 according to CPAN. (2) bug 443629 (CDATA handling) makes it useles for a large number of feeds, and worse even feeds that work now may break at any time — CDATA is standard XML, after all. (3) bug 443629 is not just a CDATA problem. Its actually a nearly-arbitrary regexp injection. e.g., <f(?2)o>{hello}</f(?2)o> gives Reference to nonexistent group in regex; marked by <-- HERE in m/f(?2) <-- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266. Thankfully, { and } are changed to spaces, so (?{code}) is not possible, so its probably just a DoS attack (e.g., via exponential time regexp). (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid. (5) popcon data: vote 13 http://qa.debian.org/popcon.php?package=libxml-rsslite-perl 357 http://qa.debian.org/popcon.php?package=libxml-rss-perl 1 http://qa.debian.org/popcon.php?package=libxml-feedpp-perl [new] Overall, the module isn't very widely used, is of questionable quality, is probably a security issue, is abandoned upstream, and I suggest doesn't belong in lenny. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjJ5ksACgkQ+z+IwlXqWf7iLACeL5Z91gwVbOZ64Ij6diC9x+4w xdgAnRn0EgGawHND3/zsOX0dcEgUiojh =VoDC -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---This isn't a bug at all, all the reasons cited aren't actually bugs. > (1) It seems abandoned upstream — the last update is Feb 2003 according > to CPAN. Thats not a bug, and doesn't make this package RC. > (2) bug 443629 (CDATA handling) makes it useles for a large number of > feeds, and worse even feeds that work now may break at any time — CDATA > is standard XML, after all. Each bug stands on its own. Don't file another bug to point at some other bug. > (3) bug 443629 is not just a CDATA problem. Its actually a > nearly-arbitrary regexp injection. e.g., > <f(?2)o>{hello}</f(?2)o> > gives > Reference to nonexistent group in regex; marked by <-- HERE in > m/f(?2) <-- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266. > Thankfully, { and } are changed to spaces, so (?{code}) is not > possible, so its probably just a DoS attack (e.g., via exponential time > regexp). See above. > (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid. > (5) popcon data: Not really a bug either. > Overall, the module isn't very widely used, is of questionable quality, > is probably a security issue, is abandoned upstream, and I suggest > doesn't belong in lenny. If you wanted to file a removal request, that should be done another way, you've filed a bug that doesn't actually report any bug at all. Please do file an actual security bug, if there is one, but 'probably a security bug' isn't strong enough to file a bug. I'm closing this bug, feel free to open a RM request, if you feel thats the correct way to go. Micah
signature.asc
Description: Digital signature
--- End Message ---
