Red Hat Bugzilla – Bug 684877
CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
Last modified: 2012-01-17 02:09:29 EST
The Python Feed Parser program (python-feedparser) recently released version 5.0.1 with the following fixes:
* Fix issue 91 (invalid text in XML declaration causes sanitizer to crash)
* Fix issue 254 (sanitization can be bypassed by malformed XML comments)
* Fix issue 255 (sanitizer doesn't strip unsafe URI schemes)
Giving the code a quick look, I don't believe the latter two issues affected 4.1 (possibly introduced in the 5.0 release). The first issue was reported against version 4.1 so would affect what we currently ship in Fedora and EPEL.
Version 5.0.1 corrects these flaws. It may be worthwhile to update to the latest version as the 5.0 release corrected a number of bugs and adds CSS/HTML5 sanitization.
Created python-feedparser tracking bugs for this issue
Affects: fedora-all [bug 684878]
Affects: epel-all [bug 684879]
The following CVE names were assigned for these issues:
issue 91 received the name CVE-2011-1156
issue 254 received the name CVE-2011-1157
issue 255 received the name CVE-2011-1158
There is another issue that would affect our version of python-feedparser (XSS vuln):
This would be fixed in the 5.0 release. It does not yet have a CVE name.
The XSS issue noted in comment #3 has been assigned the name CVE-2009-5065.
I just submitted python-feedparser-5.0.1 as an update for F15, F14, F13, EL6, and EL5.
Fedora and EPEL5/6 have been updated to 5.0.1. python-feedparser on EPEL4 is noted as being an orphan package, and with RHEL4 EOL coming soon, I suspect if it hasn't been updated there by now, it won't be before EOL.