[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC: fixing ming vulnerabilities them marking ming as not supported

Dear LTS Team,

Since ming is still being used on many systems [1] of I have prepared
fixes for the known vulnerabilities [2] and upstreamed them.
While preparing the fixes I could not avoid noticing the lack of
proper input checking at numerous other places which could be
exploited for various kinds of attacks.

I have closed many security holes, but there are still way more than
we could handle thus I suggest marking ming as not supported in the
debian-security-support package.

Before doing so I would happily update the package with the patches I
have already prepared and issue a DLA also mentioning that the package
is still not safe to use on untrusted data.

What do you think?


[1] https://qa.debian.org/popcon.php?package=ming
[2] https://github.com/libming/libming/pull/63

Reply to: