sabnzbd+ 0.5.0beta1 and expat-2.0.1-8 for Fedora 12 are incompatible

[starheart]

  Today I upgraded from expat-2.0.1-7 to expat-2.0.1-8 and found sabnzbd+ 0.5.0beta1 stopped taking nzbs with the error message below. To fix it I downgraded back to expat-2.0.1-7. Then sabnzbd+ started working again.

  expat-2.0.1-8 seems to be a security release. Below is the changelog.

Error message:
WARNING::[nzbstuff:547] Invalid NZB file file.nzb, skipping (reason=error in processing external entity reference, line=30)

Changelog:
* Tue Dec 01 2009 Joe Orton - 2.0.1-8
- add security fix for CVE-2009-3560 (#533174)
- add security fix for CVE-2009-3720 (#531697)
- run the test suite

[shypike]

SABnzbd is trying to read the DTD file (formal description of the NZB format)
from newzbin.com for each NZB that it parses.
This isn't needed and will be removed from the next Beta.
(Although it is perfectly correct behavior when parsing XML files).

O.t.o.h. what kind of security suite tries to prevent a program from
getting data from external websites? Especially because that's the
very purpose of SABnzbd.

[starheart]

  That might work around this issue, but it still seems to be a bug in expat. I have created a bug with Fedora about it.

https://bugzilla.redhat.com/show_bug.cgi?id=544996

[shypike]

Expat!
I assumed this was a security program, but it's the actual XML parser used
by the Python run-time library. My mistake.

I'm not 100% sure it's caused by the expat upgrade you describe.
People using the binary SABnzbd releases for Windows and OSX
have complained about this too, while we did not change the Python setup for a many months.
The cause is that under some circumstances the XML library thinks
it should use a web proxy instead of a direct internet connection.
This is OK when there is a working proxy, but not when it's missing.

[starheart]

Read my bug report. I completely bypassed sabnzbd+, and used the xmlwf command that comes with expat. The patch for the first security bugfix breaks validation of a nzb file. Removing the patch makes it work again. The error from xmlwf is the same as the one from sabnzbd+.

[shypike]

I see.
Anyway, Beta2 will have a work-around.
Also because there's no need to hit on newzbin.com every time an NZB is parsed.

[beezel]

  Today I upgraded from expat-2.0.1-7 to expat-2.0.1-8 and found sabnzbd+ 0.5.0beta1 stopped taking nzbs with the error message below. To fix it I downgraded back to expat-2.0.1-7. Then sabnzbd+ started working again.

  expat-2.0.1-8 seems to be a security release. Below is the changelog.

Error message:
WARNING::[nzbstuff:547] Invalid NZB file file.nzb, skipping (reason=error in processing external entity reference, line=30)

Changelog:
* Tue Dec 01 2009 Joe Orton - 2.0.1-8
- add security fix for CVE-2009-3560 (#533174)
- add security fix for CVE-2009-3720 (#531697)
- run the test suite

Could you be so kind as to explain how you downgraded expat? I am running f10 and mine also upgraded, from 2.0.1.5 to 2.0.1.8. However, when i try to remove 2.0.1.8 to then replace with 2.0.1.5 via --allow-downgrade, it wants to remove 677 packages along with expat-2.0.1.8.

Any tips? Would love to have this working again!

thanks,

justin

[beezel]

im thinking:

rpm -e -nodeps expat-2.0.1-8.fc10.x86_64
rpm -e -nodeps expat-devel-2.0.1-8.fc10.x86_64

yum --allow-downgrade install expat*-5.fc10.x86_64

does this sound appropriate? just trying not to hose my box and end up working all weekend

[beezel]

ok, so rpm -e --nodeps killed yum, so i had to wget expat-2.0.1-5 from a repo and install it via rpm -ihv instead. easy fix, after blacklisting expat from yum.