[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SRMs: Should maxdb-related packages be removed from Etch?

Hi SRMs,

I just noticed this in http://ftp-master.debian.org/removals.txt :

> [Date: Sun, 20 Jan 2008 00:44:40 +0000] [ftpmaster: Joerg Jaspert]
> Removed the following packages from unstable:
> maxdb-7.5.00 | | source
> Closed bugs: 461456
> ------------------- Reason -------------------
> RoM; security issues, upstream closed source
> ----------------------------------------------

Should the maxdb-7.5.00 source package perhaps also be removed from Etch
for these reasons?  The security bug is #461444 and has CVE number
CVE-2008-0244.  Upstream has taken the package closed-source and
apparently there is no easy fix for the security problems.  I don't see
any indication that there is an intent to release a security update for
the Etch packages.

If you decide to remove maxdb-7.5.00 source package from Etch, the
following dependent source packages should also be removed:

libdbd-maxdb-perl (#461479)
php-maxdb (#461480)

The following would not need to be removed for dependency reasons, but
they would no longer have any reason to be shipped:

maxdb-doc (#461481)
maxdb-buildtools (#461482)
libsapdbc-java (#461483)

best regards,

Kevin B. McCarty <kmccarty@gmail.com>
WWW: http://www.starplot.org/
WWW: http://people.debian.org/~kmccarty/
GPG: public key ID 4F83C751

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: