Re: Wheezy update of twisted?
Guido Günther <agx@sigxcpu.org> writes:
> Thanks for having a look! I've added twisted-web to dla-needed.txt as
> well (Salvatore already updated data/CVE/list).
My conclusions (for wheezy-security) are that:
* Neither twisted or twisted-web actually have a vulnerability.
* It is possible applications that depend on twisted or twisted-web do
have this vulnerability, however I do not consider it worthwhile use
of my time trying to check or test each dependancy to find out.
* Upstream chose to mitigate this by removing the twcgi file, required
for CGI support.
* The CGI support is required for non-python languages, such as
PHP/Perl/CGI.
* If nothing using this CGI interface we are not vulnerable, there is no
need to make any changes.
* If something does use this CGI interface, and we haven't removed this
code, we are vulnerable. Vulnerable to a "minor" security threat.
* If something does use this CGI interface, and we have remove this
code, we not not vulnerable because the application is now (most
likely) completely broken.
Note: this code that uses CGI may not be in the Debian archive. It could
be installed locally or created locally.
As such, I tend to feel the risks of removing this code exceed the risks
of not removing it. I am going to do the same thing as the security team
and mark this as no-dsa.
--
Brian May <bam@debian.org>
Reply to: