Hi, Am 16.08.19 um 22:40 schrieb Holger Levsen: > On Fri, Aug 16, 2019 at 08:11:58PM +0000, Markus Koschany wrote: >> Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker >> >> Commits: >> bc35662f by Markus Koschany at 2019-08-16T20:11:47Z >> Add radare2 to dla-needed.txt with comments. >> >> - - - - - >> 1 changed file: >> - data/dla-needed.txt >> +radare2 >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should we >> + NOTE: continue the current approach, update to a newer upstream version or mark >> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian challenge... >> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo) > > I'd be in favor of marking radare2 as unsupported, probably even for stable, > but definitly for oldstable and older. > > I'd be happy to do these changes in src:debian-security-tracker and > uploading this to sid. +1 I just noticed that we are not consistent with fixing CVE in radare2 and I would also be in favor of marking it as unsupported. Another option would be to package always the latest upstream release and backport that to stable and oldstable but it seems we already lag behind a few versions in unstable, so I'd rather choose the first option. Markus
Attachment:
signature.asc
Description: OpenPGP digital signature