Bug#977468: smuxi is marked for autoremoval from testing
On Wed, Mar 17, 2021 at 4:13 AM Moritz Mühlenhoff wrote: > > Having identified the offending code the fix is a one line change on the > > other hand. I plan to upload a fixed version of log4net in the coming > days. > > What's the status of that upload? Patch is at > > https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 After some struggles with my pbuilder setup I have pushed the backported fix for CVE-2018-1285 to salsa [0]. Since I don't have access to my PGP key during the pandemic, I am looking for a sponsor for the upload of HEAD [1]. The source package builds from HEAD as 1.2.10+dfsg-8 and is ready for a build with gbp and upload. [0]: https://salsa.debian.org/dotnet-team/log4net/-/commit/3f6f2fa7927ceb8c7dd72e4f8cf4194ad3779bc6 [1]: https://salsa.debian.org/dotnet-team/log4net/-/commit/a1a1620bb68b815713e7408824be04825e544c27 Best regards, Mirco Bauer Security Architect mirco.ba...@bitgamelabs.com https://bgl.hk/ FOSS Hacker mee...@meebey.net https://www.meebey.net/ Debian Developermee...@debian.org http://www.debian.org/ GNOME Foundation Member mmmba...@gnome.org http://www.gnome.org/ .NET Foundation Advisory Council Memberhttp://www.dotnetfoundation.org/ PGP-Key ID 0x7127E5ABEEF946C8 https://meebey.net/pubkey.asc
Bug#977468: smuxi is marked for autoremoval from testing
Am Mon, Jan 11, 2021 at 10:54:27AM +0800 schrieb Mirco Bauer: > Thanks for your email and raised concern, Jeremy. > > Full accessibility in Smuxi has been a high priority for me for a long > time. > > I looked into the vulnerability of the log4net library that Smuxi depends > on. my assessment doesn't classify a XXE for local configuration file as > release critical. An attacker would need to have write access to the > configuration file to exploit it. It that point a XXE is pointless, he can > just execute curl, wget, perl, python or write something to ~/.bashrc > directly. > Having identified the offending code the fix is a one line change on the > other hand. I plan to upload a fixed version of log4net in the coming days. What's the status of that upload? Patch is at https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Cheers, Moritz
Bug#977468: smuxi is marked for autoremoval from testing
Hi Mirco, On Mon, Jan 11, 2021 at 10:54:27AM +0800, Mirco Bauer wrote: > Thanks for your email and raised concern, Jeremy. > > Full accessibility in Smuxi has been a high priority for me for a long > time. > > I looked into the vulnerability of the log4net library that Smuxi depends > on. my assessment doesn't classify a XXE for local configuration file as > release critical. An attacker would need to have write access to the > configuration file to exploit it. It that point a XXE is pointless, he can > just execute curl, wget, perl, python or write something to ~/.bashrc > directly. I can agree here. What I though to raise is a concern: Is log4net actively maintained? A RC severiy might be warranted in such a case to hilight the problem. log4net was on same version since stretch for the Debian revision and even longer ago for the upstream version. This was tried to explain with the comment in message 14. > Having identified the offending code the fix is a one line change on the > other hand. I plan to upload a fixed version of log4net in the coming days. Do you have a chance to make an upload so that the underlying issue is fixed at least starting in bullseye? > To bump the version to the latest one of log4net so late in the release > cycle I don't see as a good option. There are 2 other reverse dependencies > that could break where I am not upstream of. Jupp this might defintively be too late now. Regards, Salvatore
Bug#977468: smuxi is marked for autoremoval from testing
Thanks for your email and raised concern, Jeremy. Full accessibility in Smuxi has been a high priority for me for a long time. I looked into the vulnerability of the log4net library that Smuxi depends on. my assessment doesn't classify a XXE for local configuration file as release critical. An attacker would need to have write access to the configuration file to exploit it. It that point a XXE is pointless, he can just execute curl, wget, perl, python or write something to ~/.bashrc directly. Having identified the offending code the fix is a one line change on the other hand. I plan to upload a fixed version of log4net in the coming days. To bump the version to the latest one of log4net so late in the release cycle I don't see as a good option. There are 2 other reverse dependencies that could break where I am not upstream of. Best regards, Mirco Bauer Smuxi and Debian developer On Sun, 10 Jan 2021, 19:53 Jérémy Prego, wrote: > hello, > > as a blind user, I regret removing smuxi from debian. I am a daily smuxi > user. Unfortunately, this is the only accessible graphical irc client > that I know of under Debian. for other types of messaging i use pidgin, > but for irc i really like to use smuxi ... > > is there really no solution to keep smuxi in debian? > > thanks, > > Jerem > Le 10/01/2021 à 05:39, Debian testing autoremoval watch a écrit : > > smuxi 1.0.7-5.1 is marked for autoremoval from testing on 2021-02-08 > > > > It (build-)depends on packages with these RC bugs: > > 977468: log4net: CVE-2018-1285 > > https://bugs.debian.org/977468 > > > > > > > > This mail is generated by: > > > https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl > > > > Autoremoval data is generated by: > > > https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl > >