Re: squeeze update of firestarter

To: debian-lts@lists.debian.org
Subject: Re: squeeze update of firestarter
From: Bret Busby <bret.busby@gmail.com>
Date: Mon, 13 Apr 2015 02:23:30 +0800
Message-id: <[🔎] CACX6j8N9FZdX8tNQVS0QUfmtqpcZBjud6xeMC2akcj2kV8DEJA@mail.gmail.com>
In-reply-to: <[🔎] alpine.DEB.2.02.1504121649420.9259@jupiter.server.alteholz.net>
References: <[🔎] CACX6j8PCUS7A927ikK=3On9X6cKQ9J0hHFCzTr4HicSprYOxBg@mail.gmail.com> <[🔎] alpine.DEB.2.02.1504121649420.9259@jupiter.server.alteholz.net>

On 12/04/2015, Thorsten Alteholz <debian@alteholz.de> wrote:
> Hi Bret,
>
> do you know of any vulnerability that affects firestarter?
> I skimmed the list of known vulnerabilities but could not find an entry
> for it. So maybe there is no need for maintenance yet. Of course, if a
> problem shows up, we have to pay attention.
>
>    Thorsten
>

Hello, Thorsten.

Thank you for the response.

I am not aware of any vulnerabilities that affect firestarter, but I
am concerned that, with firestarter apparently having been abandoned
by its developers and maintainers, 2-3 years ago, its status in terms
of vulnerabilities and risk, might not be known.

As it is firewall software, I believe that its status, in terms of
risk, is important.

I have no idea, as to the extent of the current usage of firestarter.
I do not know whether the Debian Project has a statistic ( the
popularity thing for usage or installations of packages, that can be
implemented upon installation of Debian), that would indicate how many
installations of firestarter, exist, or are in use.

It could be that it was so well written, by the time that it was
abandoned by its developers and maintainers (or, simply that the
baddies have not yet tried to breach it), that it is relatively (I do
not accept that any software, is absolutely) secure and safe, but, in
the apparent absence of ongoing maintenance and devlopment, for the
last couple of years, its staus appears (to me) to be uncertain.

That is why I was seeking for it to be reviewed.

As you have said, upon your having "skimmed the list of known
vulnerabilities", that are notified, and, having not found any for
firestarter, then, as you said, "maybe there is no need for
maintenance yet".

I have not seen any CERT advisory for firestarter, that I remember,
and I have been subscribed to the CERT advisories, for a number of
years.

-- 
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

Reply to:

References:
- squeeze update of firestarter
  - From: Bret Busby <bret.busby@gmail.com>
- Re: squeeze update of firestarter
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: How to deal with wireshark CVE affecting Squeeze
Next by Date: Re: How to deal with wireshark CVE affecting Squeeze
Previous by thread: Re: squeeze update of firestarter
Next by thread: squeeze update of libtasn1-3?
Index(es):
- Date
- Thread