[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please remove knowledgetree and slash for security issues

Steve Langasek wrote:
>> Steve Langasek wrote:
>> > In the meantime, I'm downgrading 160579 because I don't see anything in=
>  that
>> > report that would justify claiming the package is unreleasable.
>
>> It's also vulnerable to CVE-2004-2656 (no bug seems to exist) and
>> CVE-2001-1535 (328927).
>
> FWIW, of all of these the one that looks most serious to me is the one that
> doesn't have a bug filed for it yet. :)  

CVE-2004-2656 should get fixed for Etch, the rest isn't terribly serious.

> Can you explain which of these bugs
> you think justify removing the package from a release, and why?

It has a marginal user base and seems unmaintained, I'm not sure if it's
worth carrying around; but I don't have objections security-wise.

Cheers,
        Moritz
Reply to: