Bug#417328: links2: should not be part of any stable release

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#417328: links2: should not be part of any stable release
From: Martin Zobel-Helas <zobel@debian.org>
Date: Mon, 2 Apr 2007 13:02:00 +0200
Message-id: <[🔎] 20070402110155.GA11324@solar.ftbfs.de>
Reply-to: Martin Zobel-Helas <zobel@debian.org>, 417328@bugs.debian.org

Package: links2
Version: 2.1pre16-1
Severity: serious
Tags: security
Justification: seem to buggy to be supported by the security team

Hi,

on December 21st, DSA 1240 was released from a member of the security
team. It was issued to fix 'arbitrary shell command execution'. Within a
week the stable release team informed the security team, that the DSA
was not release with all architectures. The security team was reminded
about this issue from me several times, please see
Message-ID: <20061228203825.GP4452@ftbfs.de>
Message-ID: <20070112214952.GP20105@ftbfs.de>
Message-ID: <20070304193155.GQ23692@ftbfs.de>

Even our DPL and FTP-Master aj became active on that and offered the
build logs to become available to all security team members (embargoed
and non-embargoed team).

Also the security team got reminded about that issue several times on
IRC in #debian-security.

This issue stands now for 3.5 month without reaction from the security
team. Therefor i conclude that the security team is a) either unwilling
to support links2 in stable or b) this package is too buggy to be
supported.

I therefore propose also to remove this package from stable with the
next point release (to be happen on Thursday or Friday this week) and
advice the rest of the release team to do the same for Etch. 

Greetings
Martin


System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (1003, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages links2 depends on:
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libdirectfb-0.9-25        0.9.25.1-5     direct frame buffer graphics - sha
ii  libgpmg1                  1.19.6-25      General Purpose Mouse - shared lib
ii  libjpeg62                 6b-13          The Independent JPEG Group's JPEG 
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libssl0.9.8               0.9.8c-4       SSL shared libraries
ii  libsvga1                  1:1.4.3-24     console SVGA display libraries
ii  libtiff4                  3.8.2-7        Tag Image File Format (TIFF) libra
ii  libx11-6                  2:1.0.3-6      X11 client-side library
ii  zlib1g                    1:1.2.3-13     compression library - runtime

links2 recommends no packages.

-- no debconf information

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: Does wireless-tools bug #398018 need fixing before a release?
Next by Date: pound for etch
Previous by thread: Re: Does wireless-tools bug #398018 need fixing before a release?
Next by thread: pound for etch
Index(es):
- Date
- Thread