[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

mumble package / CVE-2018-20743

Hello All,


Yesterday I started looking at an unclaimed package, mumble. I concluded
that the security patch requires C++11, does unless C++11 support is
enabled, but enabling C++11 support is not possible with the Jessie
package as is because the Jessie package has no build support for C++11.

Then today I noticed that Abhijith is still working on this package, who
added the following entry to dla-needed.txt:

=== cut ===
commit c68a758f05548b7441dc218176123c37db4bb3bb
Author: Abhijith PA <abhijith@disroot.org>
Date:   Tue May 5 18:02:27 2020 +0530

    Add note for mumble in dla-needed.txt

diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 1f1e7888df..ef6beea1ac 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -65,6 +65,7 @@ mumble
   NOTE: 20200325: Regression in last upload, forgot to follow up.
   NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
   NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
+  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
   NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby)
=== cut ===


Unfortunately, I can't find any record of these discussions - in order
to reduce duplicated work - is it possible you could please summarise
here on debian-lts?

Alternatively (or maybe additionally) you might want to reclaim the
mumble package again...

Brian May <brian@linuxpenguins.xyz>

Reply to: