[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#881097: To be removed from wheezy as well



On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote:
> On 08/11/17 20:19, Ola Lundqvist wrote:
> > Hi
> > 
> > Considering that this package is about to be removed from jessie I
> > guess it should be removed from wheezy too. How is that done? Should I
> > contact the FTP maintainers about it, or do we simply ignore the
> > issue?
> 
> We don't have point releases, so I'm not sure we can get a package removed at
> this stage without extra work by the ftp masters. So our options would be:
> 
> - mark as no-dsa if it's not important enough
> - mark as unsupported / end-of-life
> - fix it
> - get it removed
> 
> The issue seems only exploitable if it's used by a service that is exposed
> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
> least one sponsor using that package. So removing it may not be the best course
> given there is a proposed patch. So I'd go with either no-dsa or fix it,
> depending on the assessed importance.

Hi,

My apologies for taking a while to join the thread.  As the most recent
uploader of this package, I feel responsible for helping get it into a
safe state if we opt to keep it.  However, I am not an active user, so
if the package is to remain in Debian, it might be better to transition
it to the Debian Perl Team (assuming that is amenable to the team).

I tend to agree with Emilio that removing it might not be the best
course of action for our users, particularly given that we have a patch
and the popcon [1] is non-zero.  Removing it from the distribution seems
like it merely leaves users with a known vulnerability.  Also, the
package might be used in derivatives.

I agree with Simon that it's a little odd for the patch to bump the
version.  (OTOH, it makes it much easier to differentiate from the
vulnerable 0.15.)  Still, I am inclined to take the patch as a patch
against upstream 0.15 for the upload to unstable and then backport it
for 0.13 for stable and oldstable.  Or perhaps Alexandr Ciornii (on the
cc) would be willing to release 0.16 including the patch.

Thoughts?

Thank you,
tony

[1] https://qa.debian.org/popcon.php?package=libnet-ping-external-perl

Attachment: signature.asc
Description: PGP signature


Reply to: