Bug 684877 - (CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, CVE-2011-1158) CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: mu...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 684878 684879
  Show dependency treegraph
Reported: 2011-03-14 13:21 EDT by Vincent Danen
Modified: 2012-01-17 02:09 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-01-17 02:09:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-03-14 13:21:54 EDT
The Python Feed Parser program (python-feedparser) recently released version 5.0.1 with the following fixes:

* Fix  issue 91  (invalid text in XML declaration causes sanitizer to crash)
* Fix  issue 254  (sanitization can be bypassed by malformed XML comments)
* Fix  issue 255  (sanitizer doesn't strip unsafe URI schemes) 

Giving the code a quick look, I don't believe the latter two issues affected 4.1 (possibly introduced in the 5.0 release).  The first issue was reported against version 4.1 so would affect what we currently ship in Fedora and EPEL.

Version 5.0.1 corrects these flaws.  It may be worthwhile to update to the latest version as the 5.0 release corrected a number of bugs and adds CSS/HTML5 sanitization.
Comment 1 Vincent Danen 2011-03-14 13:23:15 EDT
Created python-feedparser tracking bugs for this issue

Affects: fedora-all [bug 684878]
Affects: epel-all [bug 684879]
Comment 2 Vincent Danen 2011-03-15 17:00:48 EDT
The following CVE names were assigned for these issues:

issue 91 received the name CVE-2011-1156

issue 254 received the name CVE-2011-1157

issue 255 received the name CVE-2011-1158

Comment 3 Vincent Danen 2011-03-16 11:58:53 EDT
There is another issue that would affect our version of python-feedparser (XSS vuln):


This would be fixed in the 5.0 release.  It does not yet have a CVE name.
Comment 4 Vincent Danen 2011-04-05 13:13:05 EDT
The XSS issue noted in comment #3 has been assigned the name CVE-2009-5065.
Comment 5 Luke Macken 2011-04-05 15:04:10 EDT
I just submitted python-feedparser-5.0.1 as an update for F15, F14, F13, EL6, and EL5.

Comment 6 Vincent Danen 2012-01-17 02:09:29 EST
Fedora and EPEL5/6 have been updated to 5.0.1.  python-feedparser on EPEL4 is noted as being an orphan package, and with RHEL4 EOL coming soon, I suspect if it hasn't been updated there by now, it won't be before EOL.

Note You need to log in before you can comment on or make changes to this bug.