[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libnet-ping-external-perl / CVE-2008-7319

>From dla-needed.txt:

  NOTE: The solution for jessie is to remove the package from the archieve.     
  NOTE: The same should be done in wheezy too. So the action for this
  NOTE: package is to contact the FTP masters in order to handle this.

Reading https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881097
(including the subset that was CCed here) there seems to be some debate
if removing it from wheezy is the appropriate thing to do.

There is a patch and at quick glance the patch appears to be reasonable
standard and updates tests too. None of the hunks from the patch apply
to old the version in Debian (same version all distributions).

Even though we could patch this, the fact that a 10 year old
vulnerability is only now receiving attention does not showcase this
package in a positive manner. The project is dead upstream, and Debian
hasn't updated to the latest version in sid. In fact it is getting
removed from sid. There might be more vulnerabilities.

Does anyone have any objections to me removing this? Or should I persue
to patch option?
Brian May <bam@debian.org>

Reply to: