[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of twisted?

Guido Günther <agx@sigxcpu.org> writes:

> Thanks for having a look! I've added twisted-web to dla-needed.txt as
> well (Salvatore already updated data/CVE/list).

My conclusions (for wheezy-security) are that:

* Neither twisted or twisted-web actually have a vulnerability.

* It is possible applications that depend on twisted or twisted-web do
  have this vulnerability, however I do not consider it worthwhile use
  of my time trying to check or test each dependancy to find out.

* Upstream chose to mitigate this by removing the twcgi file, required
  for CGI support.

* The CGI support is required for non-python languages, such as
  PHP/Perl/CGI.

* If nothing using this CGI interface we are not vulnerable, there is no
  need to make any changes.

* If something does use this CGI interface, and we haven't removed this
  code, we are vulnerable. Vulnerable to a "minor" security threat.

* If something does use this CGI interface, and we have remove this
  code, we not not vulnerable because the application is now (most
  likely) completely broken.

Note: this code that uses CGI may not be in the Debian archive. It could
be installed locally or created locally.

As such, I tend to feel the risks of removing this code exceed the risks
of not removing it. I am going to do the same thing as the security team
and mark this as no-dsa.
-- 
Brian May <bam@debian.org>
Reply to: