This isn't a bug at all, all the reasons cited aren't actually bugs. > (1) It seems abandoned upstream — the last update is Feb 2003 according > to CPAN.
Thats not a bug, and doesn't make this package RC. > (2) bug 443629 (CDATA handling) makes it useles for a large number of > feeds, and worse even feeds that work now may break at any time — CDATA > is standard XML, after all. Each bug stands on its own. Don't file another bug to point at some other bug. > (3) bug 443629 is not just a CDATA problem. Its actually a > nearly-arbitrary regexp injection. e.g., > <f(?2)o>{hello}</f(?2)o> > gives > Reference to nonexistent group in regex; marked by <-- HERE in > m/f(?2) <-- HERE o/ at /usr/share/perl5/XML/RSSLite.pm line 266. > Thankfully, { and } are changed to spaces, so (?{code}) is not > possible, so its probably just a DoS attack (e.g., via exponential time > regexp). See above. > (4) libxml-rsslite-perl has no reverse dependencies in lenny or sid. > (5) popcon data: Not really a bug either. > Overall, the module isn't very widely used, is of questionable quality, > is probably a security issue, is abandoned upstream, and I suggest > doesn't belong in lenny. If you wanted to file a removal request, that should be done another way, you've filed a bug that doesn't actually report any bug at all. Please do file an actual security bug, if there is one, but 'probably a security bug' isn't strong enough to file a bug. I'm closing this bug, feel free to open a RM request, if you feel thats the correct way to go. Micah
signature.asc
Description: Digital signature