Hi, * Stephan Hermann <[EMAIL PROTECTED]> [2007-11-15 14:11]: > Dear Colleagues, > > I discussed this on [EMAIL PROTECTED] and with other people from > the ubuntu community. > > I (or we) think it's time to get rid of this packages, just because it > has a lot of security flaws (which are not already determined) but with > 3 CVEs hanging. > > Upstream seems to be (is) dead. > > Regarding the alternatives for IRC clients on the console (irssi in > this case) and other alternatives on the X Window interface (xchat, > konversation etc.) it should be no deal to get rid of this package. > > This removal request will be filed on Launchpad.net for Ubuntu, too.
I strongly agree with this. Bitchx (ircii-pana) is currently vulnerable to 3 security issues, namely CVE-2007-3360, CVE-2007-4584 and CVE-2007-5839. In my opinion CVE-2007-4584 is most important and noone found a solution yet. Of course this alone is no reason to remove it. The whole source code is a mess, everyone who sits down to find a security issue in bitchx will find another one. The ircii-pana maintainer also seems to be MIA, I mailed him some time ago without an answer yet. I also mailed the upstream quite some time ago, also no answer. Additionally it has an FTBFS open (patch attached to the bug report) but even with the patch for this FTBFS you would run into another I didn't file a bug for since noone seems to care about ircii-pana. Sadly still a lot of people use bitchx but considering that there are enough good alternatives in the archive I think removing it would be appropriate. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpmXRLe9ixx3.pgp
Description: PGP signature
