Re: smuxi is marked for autoremoval from testing

To: Mirco Bauer <meebey@meebey.net>
Cc: Jérémy Prego <jeremy@pregonetwork.net>, smuxi@packages.debian.org, debian-accessibility@lists.debian.org, 977468@bugs.debian.org, 977468-submitter@bugs.debian.org
Subject: Re: smuxi is marked for autoremoval from testing
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Tue, 16 Mar 2021 21:12:59 +0100
Message-id: <[🔎] YFERS96iR+0QwdsL@pisco.westfalen.local>
In-reply-to: <CAPNJedZteBaDUthSBPRMFqKLncyvcs+HBQ_oPob7B=ANVczNuw@mail.gmail.com>
References: <E1kySVO-00046d-MS@respighi.debian.org> <f744f4aa-9122-198c-4de0-61f109ea6b92@pregonetwork.net> <CAPNJedZteBaDUthSBPRMFqKLncyvcs+HBQ_oPob7B=ANVczNuw@mail.gmail.com>

Am Mon, Jan 11, 2021 at 10:54:27AM +0800 schrieb Mirco Bauer:
> Thanks for your email and raised concern, Jeremy.
> 
> Full accessibility in Smuxi has been a high priority for me for a long
> time.
> 
> I looked into the vulnerability of the log4net library that Smuxi depends
> on. my assessment doesn't classify a XXE for local configuration file as
> release critical. An attacker would need to have write access to the
> configuration file to exploit it. It that point a XXE is pointless, he can
> just execute curl, wget, perl, python or write something to ~/.bashrc
> directly.
> Having identified the offending code the fix is a one line change on the
> other hand. I plan to upload a fixed version of log4net in the coming days.

What's the status of that upload? Patch is at
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7

Cheers,
        Moritz

Reply to:

Prev by Date: Re: software speech works with vmware player 16 but not after installation of Debian testing
Next by Date: Re: software speech works with vmware player 16 but not after installation of Debian testing
Previous by thread: Re: software speech works with vmware player 16 but not after installation of Debian testing
Next by thread: Odg: [BRLTTY] 6.2 has been released.
Index(es):
- Date
- Thread