[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dcc removal?

Hi Moritz,
* Moritz Muehlenhoff <jmm@inutil.org> [2008-01-18 10:08]:
> Nico Golde wrote:
> > currently there is one medium severe security issue in the=20
> > dcc software (CVE-2007-1047[0]) which is currently unfixed=20
> > in all Debian distributions.
> >
> > I had a private conversation[1] with the upstream author of dcc
> > and the result of this was that backporting this fix to the=20
> > versions included in Debian is not possible because there=20
> > are way too many changes between the version to
> > extract the relevant changes from the diff without having a=20
> > deep knowledge of what the code does.
> >
> > So we can't backport a fix and we also don't get patches by=20
> > the upstream author.
> >
> > Considering that this also does have a negative impact on=20
> > the DCC network itself, what do you think about removing=20
> > this package from stable?
> It's my understanding from the conversation with upstream, that the open
> security issues is unrelated to the fact that the outdated version
> of DCC in Etch causes problems inside the DCC network.

Yes that's true.
Kind regards
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpTKN90Fr_yI.pgp
Description: PGP signature

Reply to: