Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Adding the radare2 uploaders to CC.
On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote:
> >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should we
> >> + NOTE: continue the current approach, update to a newer upstream version or mark
> >> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian challenge...
> >> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
> > I'd be in favor of marking radare2 as unsupported, probably even for stable,
> > but definitly for oldstable and older.
> > I'd be happy to do these changes in src:debian-security-tracker and
> > uploading this to sid.
> I just noticed that we are not consistent with fixing CVE in radare2 and
> I would also be in favor of marking it as unsupported. Another option
> would be to package always the latest upstream release and backport that
> to stable and oldstable but it seems we already lag behind a few
> versions in unstable, so I'd rather choose the first option.
The upstream link makes it sound as if they are one of those upstreams
which reject the idea of distributions shipping an older release to
a stable distro. For a tool like radare2 that seems fair enough, so
how about simply excluding it from stable releases (and retroactively
drop it from Buster/Stretch in the forthcoming point releases)?