Hi. I've worked these last days on updating planet-venus to both update it to latest upstream, and to get rid of the embedded copy of python-feedparser (instead depending on the Debian package).
I've uploaded the resulting package to experimental [0]. This should address the security issue, but we'll need more tests before we can upload it safely to unstable, which I'll be unable to do, having no production planet at hand. For reference, the result is in the PAPT SVN on an 'experimental' branch, should anyone take the risk and upload it to unstable. Best regards, Olivier Berger <[email protected]> writes: > It seems planet-venus suffers from security issues due to the embedded > copy of an old python-feedparser (see #684246, which had already been > notified in #555355, btw... now forcemerged). It looks like this > hasn't been noticed, even though the security tag on #684246 > (?). Proper credit should go to initial reporter of #684246, in any > case. > > AFAICT, the feedparser copy in planet-venus corresponds to upstream > rev. 39ecbd934a40e427b903988110748207ac7a0183 [1]. This was 83 commits > behind v.5.0.1 of feedparser that appeared in Debian to fix the 3 CVEs > referenced below (see #617998). > > The orig tarball of planet-venus itself corresponds to > rev. 83447dcc23c4ffa2c9715c0bf56d873624d78add in upstream git repo [2] > (it moved from bzr to git apparently). FYI, this is about 68 commits > and one year and a half behind latest upstream... > > I'm not sure what should be done to bring planet-venus in a better > shape, but I believed it couldn't harm to try and update the package. > [0] http://packages.qa.debian.org/p/planet-venus/news/20140127T163350Z.html -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
