Bug 684877 (CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, CVE-2011-1158) - CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: multiple flaws corrected in version 5.0.1
Summary: CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158 python-feedparser: mu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-5065, CVE-2011-1156, CVE-2011-1157, CVE-2011-1158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 684878 684879
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-14 17:21 UTC by Vincent Danen
Modified: 2019-09-29 12:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-17 07:09:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2011-03-14 17:21:54 UTC
The Python Feed Parser program (python-feedparser) recently released version 5.0.1 with the following fixes:

* Fix  issue 91  (invalid text in XML declaration causes sanitizer to crash)
* Fix  issue 254  (sanitization can be bypassed by malformed XML comments)
* Fix  issue 255  (sanitizer doesn't strip unsafe URI schemes) 

Giving the code a quick look, I don't believe the latter two issues affected 4.1 (possibly introduced in the 5.0 release).  The first issue was reported against version 4.1 so would affect what we currently ship in Fedora and EPEL.

Version 5.0.1 corrects these flaws.  It may be worthwhile to update to the latest version as the 5.0 release corrected a number of bugs and adds CSS/HTML5 sanitization.

Comment 1 Vincent Danen 2011-03-14 17:23:15 UTC
Created python-feedparser tracking bugs for this issue

Affects: fedora-all [bug 684878]
Affects: epel-all [bug 684879]

Comment 2 Vincent Danen 2011-03-15 21:00:48 UTC
The following CVE names were assigned for these issues:

issue 91 received the name CVE-2011-1156

issue 254 received the name CVE-2011-1157

issue 255 received the name CVE-2011-1158

http://openwall.com/lists/oss-security/2011/03/15/11

Comment 3 Vincent Danen 2011-03-16 15:58:53 UTC
There is another issue that would affect our version of python-feedparser (XSS vuln):

http://code.google.com/p/feedparser/issues/detail?id=195

This would be fixed in the 5.0 release.  It does not yet have a CVE name.

Comment 4 Vincent Danen 2011-04-05 17:13:05 UTC
The XSS issue noted in comment #3 has been assigned the name CVE-2009-5065.

Comment 5 Luke Macken 2011-04-05 19:04:10 UTC
I just submitted python-feedparser-5.0.1 as an update for F15, F14, F13, EL6, and EL5.

https://admin.fedoraproject.org/updates/python-feedparser

Comment 6 Vincent Danen 2012-01-17 07:09:29 UTC
Fedora and EPEL5/6 have been updated to 5.0.1.  python-feedparser on EPEL4 is noted as being an orphan package, and with RHEL4 EOL coming soon, I suspect if it hasn't been updated there by now, it won't be before EOL.


Note You need to log in before you can comment on or make changes to this bug.