Status of some open security issues in Wheezy
Hi,
I made a systematic trackdown of open security issues in Wheezy and would like
to summarise some issues in this mail. Some security blocks might be lost in
the backlog, it would be nice if someone go through this list:
bacula / CVE-2012-4430
This was fixed in testing-proposed-updates in 5.2.6+dfsg-2.1
There's a larger unblock discussion with more changes in #689003
Please either unblock the revised package from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689003#80 or
the tpu security fix.
icecast2 / CVE-2011-4612
I prepared a tpu backport a month ago. Can I go ahead and upload?
(691186)
pcp /CVE-2012-3418 CVE-2012-3419 CVE-2012-3420 CVE-2012-3421 CVE-2012-5530
Huge fix made in unstable (but many changes needed to fix the issue). Updated
package introduces shlibs changes (686868). No rdeps and low popcon. Could also
be removed IMO.
dnsmasq / CVE-2012-3411
There's a longstanding unblock request (690075). However, since this is of low
impact and would require additional fixes in libvirt, I'm inclined to leave it
as-is for Wheezy. Agreed?
weechat / CVE-2012-5534 / CVE-2012-5854
There's a tpu request in #693702
cityhash / CVE-2012-6051
Given the circumstances (694999) I think removal from Wheezy is the way to go
forward.
gimp / CVE-2012-5576
Blocked by missing s390x build. I've contacted the buildd maints, but got
no reponse. Can anyone of you trigger a giveback?
yui / CVE-2012-5881 CVE-2012-5882 CVE-2012-5883
This package is a complete mess, for Jessie we'll need to migrate all packages
to yui3. For Wheezy we're stuck with two additional DFSG bugs. If they're
wheezy-ignored I can fix the security issues in a NMU.
qt4-x11 / CVE-2012-4929
The transition of the fix is blocked by the ia64 build failure. No idea where
that is coming from?
Cheers,
Moritz
Reply to: