Debian Bug report logs - #559770
libwordpress-xmlrpc-perl embeds wordpress' xmlrpc

version graph

Package: libwordpress-xmlrpc-perl; Maintainer for libwordpress-xmlrpc-perl is (unknown);

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 00:18:01 UTC

Severity: serious

Tags: security

Found in version libwordpress-xmlrpc-perl/1.19-1

Done: Jonathan Yu <jonathan.i.yu@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#559770; Package libwordpress-xmlrpc-perl. (Mon, 07 Dec 2009 00:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 07 Dec 2009 00:18:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: libwordpress-xmlrpc-perl embeds wordpress' xmlrpc
Date: Sun, 6 Dec 2009 19:17:08 -0500
Package: libwordpress-xmlrpc-perl
Version: 1.19-1
Severity: serious
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.  libwordpress-xmlrpc-perl embeds wordpress'
xmlrpc.php, so it may also be vulnerable.  The two files differ, and I
have so far been unable to pinpoint the exact code patch to fix the
problem.  Please check whether the package is affected.  Even if it is
not affected, embedded code is bad, so please update the package to
make use of wordpress's code.

CVE-2007-6672[0]:
| Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass
| protection mechanisms and read the source of files via multiple '/'
| (slash) characters in the URI.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6672
    http://security-tracker.debian.org/tracker/CVE-2007-6672




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#559770; Package libwordpress-xmlrpc-perl. (Mon, 07 Dec 2009 00:33:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Yu <jonathan.i.yu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 07 Dec 2009 00:33:06 GMT) Full text and rfc822 format available.

Message #10 received at 559770@bugs.debian.org (full text, mbox):

From: Jonathan Yu <jonathan.i.yu@gmail.com>
To: 559770@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, Debian Perl List <debian-perl@lists.debian.org>
Subject: Re: Bug#559770: libwordpress-xmlrpc-perl embeds wordpress' xmlrpc
Date: Sun, 6 Dec 2009 19:32:18 -0500
Hi:

Thank you for your bug report.

It should be noted that this module is destined for removal from
unstable and testing due to some new dependencies (LEOCHARRE::
modules) which we would rather not package. The code quality of those
files was questionable (such as dumping random things into the main
namespace), and the consensus amongst the group was that removal of
Wordpress-XMLRPC was the best option.

Given that this module is not yet in stable, I'm not sure whether we
should spend the time investigating this -- the package
libwordpress-xmlrpc-perl will be removed from testing and unstable
some time this week, probably over the next few days unless
significant objections are raised and a suitable solution is
discovered.

For discussion of the removal, please see:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559524

This would seem to be the final nail in the coffin for this package.

Cheers,

Jonathan




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#559770; Package libwordpress-xmlrpc-perl. (Mon, 07 Dec 2009 00:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 07 Dec 2009 00:36:04 GMT) Full text and rfc822 format available.

Message #15 received at 559770@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559770@bugs.debian.org, Debian Perl List <debian-perl@lists.debian.org>
Subject: Re: Bug#559770: libwordpress-xmlrpc-perl embeds wordpress' xmlrpc
Date: Sun, 6 Dec 2009 19:33:59 -0500
On Sun, 6 Dec 2009 19:32:18 -0500 Jonathan Yu wrote:

> Hi:
> 
> Thank you for your bug report.
> 
> It should be noted that this module is destined for removal from
> unstable and testing due to some new dependencies (LEOCHARRE::
> modules) which we would rather not package. The code quality of those
> files was questionable (such as dumping random things into the main
> namespace), and the consensus amongst the group was that removal of
> Wordpress-XMLRPC was the best option.
> 
> Given that this module is not yet in stable, I'm not sure whether we
> should spend the time investigating this -- the package
> libwordpress-xmlrpc-perl will be removed from testing and unstable
> some time this week, probably over the next few days unless
> significant objections are raised and a suitable solution is
> discovered.
> 
> For discussion of the removal, please see:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559524
> 
> This would seem to be the final nail in the coffin for this package.

ok, thanks for the info.

mike




Information stored :
Bug#559770; Package libwordpress-xmlrpc-perl. (Tue, 08 Dec 2009 05:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Yu <jawnsy@cpan.org>:
Extra info received and filed, but not forwarded. (Tue, 08 Dec 2009 05:21:09 GMT) Full text and rfc822 format available.

Message #20 received at 559770-quiet@bugs.debian.org (full text, mbox):

From: Jonathan Yu <jawnsy@cpan.org>
To: debian-release@lists.debian.org
Cc: Debian Perl List <debian-perl@lists.debian.org>, 559524-quiet@bugs.debian.org, 559770-quiet@bugs.debian.org
Subject: RM: libwordpress-xmlrpc-perl/testing -- ROM; Based on recent source changes, we believe the quality of code is poor.
Date: Tue, 8 Dec 2009 00:17:59 -0500
Here are some reasons why:

1. We discussed this in the ITP for libleocharre-perl [0]; the whole
idea of the LEOCHARRE:: modules is flawed in many ways, and also
exports random symbols to the 'main' namespace with no way of stopping
it from doing so.

2. The overhead involved with patching in the needed LEOCHARRE::
features is probably going to be big in the long term

3. There is a critical security issue due to inclusion of WordPress' XMLRPC [1]

4. Low popcon score

5. Not in stable (only unstable and testing)

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559524
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559770
[2] http://qa.debian.org/popcon.php?package=libwordpress-xmlrpc-perl




Added blocking bug(s) of 559770: 559995 Request was from Jonathan Yu <jonathan.i.yu@gmail.com> to control@bugs.debian.org. (Tue, 08 Dec 2009 06:00:04 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Yu <jonathan.i.yu@gmail.com>:
You have taken responsibility. (Thu, 17 Dec 2009 04:33:07 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 17 Dec 2009 04:33:07 GMT) Full text and rfc822 format available.

Message #27 received at 559770-done@bugs.debian.org (full text, mbox):

From: Jonathan Yu <jonathan.i.yu@gmail.com>
To: 559770-done@bugs.debian.org, 559524-done@bugs.debian.org
Cc: Debian Perl List <debian-perl@lists.debian.org>
Subject: Removal of libwordpress-xmlrpc-perl
Date: Wed, 16 Dec 2009 23:28:00 -0500
Hi:

Please note that these bugs are no longer valid because
libwordpress-xmlrpc-perl has been removed from Debian unstable. It
appears that it has also been removed from testing per the automated
process.

This will "resolve" the issues for now -- however, unfortunately the
package is no longer available as part of Debian and must be installed
manually via CPAN or another tool. Hopefully the issues will be
resolved upstream eventually.

If there is some serious need for this package (and I mean enough to
convince us to do the work this would entail), we can consider a
severe series of patches to get things in good working order (but we'd
pretty much be diverging from upstream and it would pretty much just
be a fork of the older version that did not use the LEOCHARRE::
modules). I'd rather not maintain a module like this as a Debian
native package.

Cheers,

Jonathan




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Jan 2010 07:45:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:28:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.