Re: SRMs: Should maxdb-related packages be removed from Etch?
On 2008-05-09, Kevin B. McCarty <kmccarty@debian.org> wrote:
> This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
> --------------enig11ED6EABD09CF3D3EE7883B5
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Hi SRMs,
>
> I just noticed this in http://ftp-master.debian.org/removals.txt :
>
>> [Date: Sun, 20 Jan 2008 00:44:40 +0000] [ftpmaster: Joerg Jaspert]
>> Removed the following packages from unstable:
> [snip]
>> maxdb-7.5.00 | 7.5.00.44-2 | source
> [snip]
>> Closed bugs: 461456
>>=20
>> ------------------- Reason -------------------
>> RoM; security issues, upstream closed source
>> ----------------------------------------------
>
> Should the maxdb-7.5.00 source package perhaps also be removed from Etch
> for these reasons? The security bug is #461444 and has CVE number
> CVE-2008-0244. Upstream has taken the package closed-source and
> apparently there is no easy fix for the security problems. I don't see
> any indication that there is an intent to release a security update for
> the Etch packages.
Ack.
Please file a removal bug for stable against ftp.debian.org
(latest versions of reportbug make that very easy)
Cheers,
Moritz
Reply to: