[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: smuxi is marked for autoremoval from testing

Thanks for your email and raised concern, Jeremy.

Full accessibility in Smuxi has been a high priority for me for a long time. 

I looked into the vulnerability of the log4net library that Smuxi depends on. my assessment doesn't classify a XXE for local configuration file as release critical. An attacker would need to have write access to the configuration file to exploit it. It that point a XXE is pointless, he can just execute curl, wget, perl, python or write something to ~/.bashrc directly.
Having identified the offending code the fix is a one line change on the other hand. I plan to upload a fixed version of log4net in the coming days. 

To bump the version to the latest one of log4net so late in the release cycle I don't see as a good option. There are 2 other reverse dependencies that could break where I am not upstream of. 

Best regards, 

Mirco Bauer

Smuxi and Debian developer

On Sun, 10 Jan 2021, 19:53 Jérémy Prego, <jeremy@pregonetwork.net> wrote:

as a blind user, I regret removing smuxi from debian. I am a daily smuxi
user. Unfortunately, this is the only accessible graphical irc client
that I know of under Debian. for other types of messaging i use pidgin,
but for irc i really like to use smuxi ...

is there really no solution to keep smuxi in debian?


Le 10/01/2021 à 05:39, Debian testing autoremoval watch a écrit :
> smuxi 1.0.7-5.1 is marked for autoremoval from testing on 2021-02-08
> It (build-)depends on packages with these RC bugs:
> 977468: log4net: CVE-2018-1285
> This mail is generated by:
> https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl
> Autoremoval data is generated by:
> https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl

Reply to: