Detalji

Otkrivene su višestruke ranjivosti programskog alata Python-feedparser, distribuiranog s operacijskom sustavom Fedora 15. Riječ je o modulu skriptnog jezika Python za preuzimanje i obradu RSS (eng. Really Simple Syndication) i Atom sadržaja. Svi sigurnosni propusti vezani su uz "feedparser.py". Udaljeni napadač može iskoristiti nedostatke kako bi pokrenuo napad uskraćivanja usluga, umetnuo proizvoljne web-skripte ili html kod pomoću posebno oblikovanih DOCTYPE deklaracija, posebno oblikovanih XML komentara ili neočekivane URI (eng. Uniform Resource Identifier) sheme. Preporučuje se nadogradnja programskog modula.

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-4988
2011-04-07 02:16:28
--------------------------------------------------------------------------------

Name        : python-feedparser
Product     : Fedora 15
Version     : 5.0.1
Release     : 1.fc15
URL         : http://feedparser.org/
Summary     : Parse RSS and Atom feeds in Python
Description :
Universal Feed Parser is a Python module for downloading and parsing
syndicated feeds. It can handle RSS 0.90, Netscape RSS 0.91,
Userland RSS 0.91, RSS 0.92, RSS 0.93, RSS 0.94, RSS 1.0, RSS 2.0,
Atom 0.3, Atom 1.0, and CDF feeds. It also parses several popular extension
modules, including Dublin Core and Apple's iTunes extensions.

--------------------------------------------------------------------------------
Update Information:

Current release: 5.0.1 - February 20, 2011

 * Fix  issue 91  (invalid text in XML declaration causes sanitizer to crash)
 * Fix  issue 254  (sanitization can be bypassed by malformed XML comments)
 * Fix  issue 255  (sanitizer doesn't strip unsafe URI schemes) 

Previous release: 5.0 - January 25, 2011

 * Improved MathML support
 * Support microformats (rel-tag, rel-enclosure, xfn, hcard)
 * Support IRIs
 * Allow safe CSS through sanitization
 * Allow safe HTML5 through sanitization
 * Support SVG
 * Support inline XML entity declarations
 * Support unescaped quotes and angle brackets in attributes
 * Support additional date formats
 * Added the request_headers argument to parse()
 * Added the response_headers argument to parse()
 * Support multiple entry, feed, and source authors
 * Officially make Python 2.4 the earliest supported version
 * Support Python 3
 * Bug fixes, bug fixes, bug fixes 

--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #684877 - CVE-2009-5065 CVE-2011-1156 CVE-2011-1157 CVE-2011-1158
python-feedparser: multiple flaws corrected in version 5.1
        https://bugzilla.redhat.com/show_bug.cgi?id=684877
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update python-feedparser' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Idi na vrh