[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1008164: RM: obfs4proxy/0.0.8-1

Am Mon, Jul 31, 2023 at 08:05:29AM +0100 schrieb Jonathan Wiltshire:
> Hi,
> 
> On Mon, Jul 04, 2022 at 07:36:12PM +0100, Adam D. Barratt wrote:
> > Control: retitle -1 RM: obfs4proxy -- RoM; security issues
> > Control: tags -1 + moreinfo
> > 
> > On Sat, 2022-03-26 at 21:21 +0100, Paul Gevers wrote:
> > > Control: tag -1 bullseye
> > > 
> > > Hi Ana,
> > > 
> > > On 23-03-2022 13:13, Ana Custura wrote:
> > > > Opening this bug after a recomendation from debian-security.
> > > > Version 0.0.8 of obfs4proxy has a security bug, which has only been
> > > > fixed in a later
> > > > version (0.0.13, see bug number #1004374), and also suffers from
> > > > incompatibilty issues
> > > > with later versions of the package. Version 0.0.13 is already in
> > > > bullseye-backports.
> > > 
> > > So this want's removal from bullseye, setting the right tag to have
> > > it on the radar of the SRM.
> > 
> > obfs4proxy has a reverse-dependency in bullseye:
> > 
> > Checking reverse dependencies...
> > # Broken Depends:
> > onionshare: onionshare
> > 
> > Dependency problem found.
> 
> This remains unresolved - obfs4proxy cannot be removed while onionshare
> depends on it. Security team - is removal your recommendation? How can the
> dependency be resolved?

Let's add the onionshare maintainer to CC.

In #1004375 onionshare demoted the dependency on obfs4proxy to a Recommends,
can we apply the same to onionshare 2.2 from Bullseye?

Cheers,
        Moritz
Reply to: