mumble package / CVE-2018-20743
Hello All,
Background:
Yesterday I started looking at an unclaimed package, mumble. I concluded
that the security patch requires C++11, does unless C++11 support is
enabled, but enabling C++11 support is not possible with the Jessie
package as is because the Jessie package has no build support for C++11.
Then today I noticed that Abhijith is still working on this package, who
added the following entry to dla-needed.txt:
=== cut ===
commit c68a758f05548b7441dc218176123c37db4bb3bb
Author: Abhijith PA <abhijith@disroot.org>
Date: Tue May 5 18:02:27 2020 +0530
Add note for mumble in dla-needed.txt
diff --git a/data/dla-needed.txt b/data/dla-needed.txt
index 1f1e7888df..ef6beea1ac 100644
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -65,6 +65,7 @@ mumble
NOTE: 20200325: Regression in last upload, forgot to follow up.
NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
+ NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
--
nginx
NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby)
=== cut ===
Abhijith:
Unfortunately, I can't find any record of these discussions - in order
to reduce duplicated work - is it possible you could please summarise
here on debian-lts?
Alternatively (or maybe additionally) you might want to reclaim the
mumble package again...
Regards
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: