RFC: fixing ming vulnerabilities them marking ming as not supported

To: Debian LTS <debian-lts@lists.debian.org>
Subject: RFC: fixing ming vulnerabilities them marking ming as not supported
From: Bálint Réczey <balint@balintreczey.hu>
Date: Thu, 5 Jan 2017 18:38:00 +0100
Message-id: <[🔎] CAK0Odpwn5yJ0-OhY1HZJo+g=rUdazEbbO-x-fs6oz0483V8sNQ@mail.gmail.com>
Reply-to: balint@balintreczey.hu

Dear LTS Team,

Since ming is still being used on many systems [1] of I have prepared
fixes for the known vulnerabilities [2] and upstreamed them.
While preparing the fixes I could not avoid noticing the lack of
proper input checking at numerous other places which could be
exploited for various kinds of attacks.

I have closed many security holes, but there are still way more than
we could handle thus I suggest marking ming as not supported in the
debian-security-support package.

Before doing so I would happily update the package with the patches I
have already prepared and issue a DLA also mentioning that the package
is still not safe to use on untrusted data.

What do you think?

Cheers,
Balint

[1] https://qa.debian.org/popcon.php?package=ming
[2] https://github.com/libming/libming/pull/63

Reply to:

Prev by Date: LTS report for December
Next by Date: Re: Wheezy update of rabbitmq-server?
Previous by thread: LTS report for December
Next by thread: Wheezy update of jbig2dec?
Index(es):
- Date
- Thread