On Sat, Nov 25, 2017 at 08:12:22AM +0100, Salvatore Bonaccorso wrote: > Hi Tony! > > Thanks for your reply, dropping LTS list since reply is specific for > oldstable, stable and unstable. > > On Wed, Nov 22, 2017 at 03:32:36PM -0800, tony mancill wrote: > > On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote: > > > On 08/11/17 20:19, Ola Lundqvist wrote: > > > > Hi > > > > > > > > Considering that this package is about to be removed from jessie I > > > > guess it should be removed from wheezy too. How is that done? Should I > > > > contact the FTP maintainers about it, or do we simply ignore the > > > > issue? > > > > > > We don't have point releases, so I'm not sure we can get a package > > > removed at > > > this stage without extra work by the ftp masters. So our options would be: > > > > > > - mark as no-dsa if it's not important enough > > > - mark as unsupported / end-of-life > > > - fix it > > > - get it removed > > > > > > The issue seems only exploitable if it's used by a service that is exposed > > > remotely or to other issues... and has no rdeps in wheezy. OTOH there is > > > at > > > least one sponsor using that package. So removing it may not be the best > > > course > > > given there is a proposed patch. So I'd go with either no-dsa or fix it, > > > depending on the assessed importance. > > > > Hi, > > > > My apologies for taking a while to join the thread. As the most recent > > uploader of this package, I feel responsible for helping get it into a > > safe state if we opt to keep it. However, I am not an active user, so > > if the package is to remain in Debian, it might be better to transition > > it to the Debian Perl Team (assuming that is amenable to the team). > > > > I tend to agree with Emilio that removing it might not be the best > > course of action for our users, particularly given that we have a patch > > and the popcon [1] is non-zero. Removing it from the distribution seems > > like it merely leaves users with a known vulnerability. Also, the > > package might be used in derivatives. > > > > I agree with Simon that it's a little odd for the patch to bump the > > version. (OTOH, it makes it much easier to differentiate from the > > vulnerable 0.15.) Still, I am inclined to take the patch as a patch > > against upstream 0.15 for the upload to unstable and then backport it > > for 0.13 for stable and oldstable. Or perhaps Alexandr Ciornii (on the > > cc) would be willing to release 0.16 including the patch. > > > > Thoughts? > > The package is basically "unmaintained" (upstream)[*] and for almost > 10 years did not address > https://rt.cpan.org/Public/Bug/Display.html?id=33230 (maybe you can > argue, as well a fault for various "downstreams" to not notice and > bring that earlier up, defintively. I wonder why only now it got > attention on oss-security, for which I then requested a CVE) > > IMHO the best course of action is still to have it removed, in all > suites. For unstable, so that it's not included in buster. And for > oldstable and stable (as scheduled for the upcoming point releases) > via the point release announcements. The announcement will contain a > section which packages are removed from Debian, and for which reason, > so still users of Net::Ping::External are informed. > > I agree as well that if one starts to argue that way that there are > old packages which do not see updates from upstream, then a whole more > should be removed from Debian ;-). My point was not this though, I'm > concernend that there was a bug with security implications for almost > 10 years reported in public bugtracker, without even a reply to it to > acknowledge the problem.
Hi Salvatore, Understood. I can appreciate all of the considerations that the Security Team has to take into account regarding the distribution life cycle. I realize it won't be part of the announcement nor is it officially part of Debian, but in case it helps any users of Net::Ping::External who come across this bug report, I did prepare an updated package for 0.15 that includes the patch for CVE-2008-7319. That packaging can be found here [1]. Cheers, tony [1] https://anonscm.debian.org/cgit/pkg-perl/packages/libnet-ping-external-perl.git
signature.asc
Description: PGP signature
