On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote: > On 08/11/17 20:19, Ola Lundqvist wrote: > > Hi > > > > Considering that this package is about to be removed from jessie I > > guess it should be removed from wheezy too. How is that done? Should I > > contact the FTP maintainers about it, or do we simply ignore the > > issue? > > We don't have point releases, so I'm not sure we can get a package removed at > this stage without extra work by the ftp masters. So our options would be: > > - mark as no-dsa if it's not important enough > - mark as unsupported / end-of-life > - fix it > - get it removed > > The issue seems only exploitable if it's used by a service that is exposed > remotely or to other issues... and has no rdeps in wheezy. OTOH there is at > least one sponsor using that package. So removing it may not be the best course > given there is a proposed patch. So I'd go with either no-dsa or fix it, > depending on the assessed importance. Hi, My apologies for taking a while to join the thread. As the most recent uploader of this package, I feel responsible for helping get it into a safe state if we opt to keep it. However, I am not an active user, so if the package is to remain in Debian, it might be better to transition it to the Debian Perl Team (assuming that is amenable to the team). I tend to agree with Emilio that removing it might not be the best course of action for our users, particularly given that we have a patch and the popcon [1] is non-zero. Removing it from the distribution seems like it merely leaves users with a known vulnerability. Also, the package might be used in derivatives. I agree with Simon that it's a little odd for the patch to bump the version. (OTOH, it makes it much easier to differentiate from the vulnerable 0.15.) Still, I am inclined to take the patch as a patch against upstream 0.15 for the upload to unstable and then backport it for 0.13 for stable and oldstable. Or perhaps Alexandr Ciornii (on the cc) would be willing to release 0.16 including the patch. Thoughts? Thank you, tony [1] https://qa.debian.org/popcon.php?package=libnet-ping-external-perl
Attachment:
signature.asc
Description: PGP signature