[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please remove knowledgetree and slash for security issues

On Sun, Aug 27, 2006 at 09:48:42PM +0200, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> >> Steve Langasek wrote:
> >> > In the meantime, I'm downgrading 160579 because I don't see anything in=
> >  that
> >> > report that would justify claiming the package is unreleasable.

> >> It's also vulnerable to CVE-2004-2656 (no bug seems to exist) and
> >> CVE-2001-1535 (328927).

> > FWIW, of all of these the one that looks most serious to me is the one that
> > doesn't have a bug filed for it yet. :)  

> CVE-2004-2656 should get fixed for Etch, the rest isn't terribly serious.

Could you file a bug report on this one then?  That would give us grounds
for removal if the maintainer doesn't react.

> > Can you explain which of these bugs
> > you think justify removing the package from a release, and why?

> It has a marginal user base and seems unmaintained, I'm not sure if it's
> worth carrying around; but I don't have objections security-wise.

Right -- as noted before, I think the rest of those are QA objections, not
reasons for the release team to remove the package directly.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
Reply to: