On Fri, Aug 16, 2019 at 08:11:58PM +0000, Markus Koschany wrote:
> Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
>
> Commits:
> bc35662f by Markus Koschany at 2019-08-16T20:11:47Z
> Add radare2 to dla-needed.txt with comments.
>
> - - - - -
> 1 changed file:
> - data/dla-needed.txt
> +radare2
> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should we
> + NOTE: continue the current approach, update to a newer upstream version or mark
> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian challenge...
> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
I'd be in favor of marking radare2 as unsupported, probably even for stable,
but definitly for oldstable and older.
I'd be happy to do these changes in src:debian-security-tracker and
uploading this to sid.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature