mumble package / CVE-2018-20743
Yesterday I started looking at an unclaimed package, mumble. I concluded
that the security patch requires C++11, does unless C++11 support is
enabled, but enabling C++11 support is not possible with the Jessie
package as is because the Jessie package has no build support for C++11.
Then today I noticed that Abhijith is still working on this package, who
added the following entry to dla-needed.txt:
=== cut ===
Author: Abhijith PA <firstname.lastname@example.org>
Date: Tue May 5 18:02:27 2020 +0530
Add note for mumble in dla-needed.txt
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 1f1e7888df..ef6beea1ac 100644
@@ -65,6 +65,7 @@ mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
+ NOTE: 20200504: discussion going on with email@example.com and mumble maintainer (abhijith)
NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby)
=== cut ===
Unfortunately, I can't find any record of these discussions - in order
to reduce duplicated work - is it possible you could please summarise
here on debian-lts?
Alternatively (or maybe additionally) you might want to reclaim the
mumble package again...
Brian May <firstname.lastname@example.org>