RFC: fixing ming vulnerabilities them marking ming as not supported
Dear LTS Team,
Since ming is still being used on many systems [1] of I have prepared
fixes for the known vulnerabilities [2] and upstreamed them.
While preparing the fixes I could not avoid noticing the lack of
proper input checking at numerous other places which could be
exploited for various kinds of attacks.
I have closed many security holes, but there are still way more than
we could handle thus I suggest marking ming as not supported in the
debian-security-support package.
Before doing so I would happily update the package with the patches I
have already prepared and issue a DLA also mentioning that the package
is still not safe to use on untrusted data.
What do you think?
Cheers,
Balint
[1] https://qa.debian.org/popcon.php?package=ming
[2] https://github.com/libming/libming/pull/63
Reply to: