Hi... While checking our procedures for tracking vulnerabilities in non-Debian-provided packages, I noticed that python-soappy in wheezy has a couple of outstanding vulns.
Apparently (according to pabs on IRC, can't remember where he checked) the python-soappy maintainer(s) - Debian Python Modules Team <[email protected]> - haven't responded to contacts about this. I've prepared a fixed package for our own local use, and would be happy to help with getting fixed packages into wheezy/sid. There's one complication with the package for wheezy; while I have only pulled in the upstream (new upstream since version in wheezy) changes relevant to the fix, the fix used is the Python community's recommended one of using defusedxml. Which isn't in wheezy. It seems to me (and in a brief discussion on IRC, pabs) that getting the python-defusedxml package into wheezy would be the best solution: * per https://docs.python.org/2/library/xml.html#xml-vulnerabilities it is the recommended way to avoid XXE etc. in Python 2.x; * there are various other packages using xml.sax in a potentially unsafe manner in wheezy, and if it turns out that any requires a security update, the best solution is likely to require the use of defusedxml; * any 3rd-party or user-written code attempting to avoid XXE etc. in Python 2.x code should be using defusedxml, and there is no supported way to achieve this in wheezy at present; * the only possible instability from adding a package that no existing package uses would be from people who currently have a different version of it installed locally, and a borked PYTHONPATH. I had a brief chat to Adam Barratt (SRM) about this on IRC as well, and while not keen, he did seem willing to give the possibility the time of day at least. He suggested filing a p-u bug with the relevant information, but I thought I'd mail you guys first to see whether you'd be inclined to agree with the solution and that doing so wouldn't be treading on any toes. DPMT guys - there's no big deal with this for sid, as defusedxml is already available. Happy to NMU latest SOAPPy from pypi if desired. Or, since I already have fixed packages here, I can equally happily STFU and leave you all alone. Cheers, Nick -- Nick Phillips / [email protected] / [email protected] / 03 479 4195 # These statements are mine, not those of the University of Otago _______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
