libnet-ping-external-perl / CVE-2008-7319

To: debian-lts@lists.debian.org
Subject: libnet-ping-external-perl / CVE-2008-7319
From: Brian May <bam@debian.org>
Date: Thu, 07 Dec 2017 18:25:22 +1100
Message-id: <[🔎] 87fu8nknj1.fsf@prune.linuxpenguins.xyz>

>From dla-needed.txt:

libnet-ping-external-perl
  NOTE: The solution for jessie is to remove the package from the archieve.     
  NOTE: The same should be done in wheezy too. So the action for this
  NOTE: package is to contact the FTP masters in order to handle this.

Reading https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881097
(including the subset that was CCed here) there seems to be some debate
if removing it from wheezy is the appropriate thing to do.

There is a patch and at quick glance the patch appears to be reasonable
standard and updates tests too. None of the hunks from the patch apply
to old the version in Debian (same version all distributions).

Even though we could patch this, the fact that a 10 year old
vulnerability is only now receiving attention does not showcase this
package in a positive manner. The project is dead upstream, and Debian
hasn't updated to the latest version in sid. In fact it is getting
removed from sid. There might be more vulnerabilities.

Does anyone have any objections to me removing this? Or should I persue
to patch option?
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: libnet-ping-external-perl / CVE-2008-7319
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: November Report
Next by Date: Re: libnet-ping-external-perl / CVE-2008-7319
Previous by thread: Re: Wheezy update of simplesamlphp?
Next by thread: Re: libnet-ping-external-perl / CVE-2008-7319
Index(es):
- Date
- Thread