[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.


Am 16.08.19 um 22:40 schrieb Holger Levsen:
> On Fri, Aug 16, 2019 at 08:11:58PM +0000, Markus Koschany wrote:
>> Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
>> Commits:
>> bc35662f by Markus Koschany at 2019-08-16T20:11:47Z
>> Add radare2 to dla-needed.txt with comments.
>> - - - - -
>> 1 changed file:
>> - data/dla-needed.txt
>> +radare2
>> +  NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
>> +  NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should we
>> +  NOTE: continue the current approach, update to a newer upstream version or mark
>> +  NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian challenge...
>> +  NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
> I'd be in favor of marking radare2 as unsupported, probably even for stable,
> but definitly for oldstable and older.
> I'd be happy to do these changes in src:debian-security-tracker and
> uploading this to sid.


I just noticed that we are not consistent with fixing CVE in radare2 and
I would also be in favor of marking it as unsupported. Another option
would be to package always the latest upstream release and backport that
to stable and oldstable but it seems we already lag behind a few
versions in unstable, so I'd rather choose the first option.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: