Hi, I made a systematic trackdown of open security issues in Wheezy and would like to summarise some issues in this mail. Some security blocks might be lost in the backlog, it would be nice if someone go through this list:
bacula / CVE-2012-4430 This was fixed in testing-proposed-updates in 5.2.6+dfsg-2.1 There's a larger unblock discussion with more changes in #689003 Please either unblock the revised package from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689003#80 or the tpu security fix. icecast2 / CVE-2011-4612 I prepared a tpu backport a month ago. Can I go ahead and upload? (691186) pcp /CVE-2012-3418 CVE-2012-3419 CVE-2012-3420 CVE-2012-3421 CVE-2012-5530 Huge fix made in unstable (but many changes needed to fix the issue). Updated package introduces shlibs changes (686868). No rdeps and low popcon. Could also be removed IMO. dnsmasq / CVE-2012-3411 There's a longstanding unblock request (690075). However, since this is of low impact and would require additional fixes in libvirt, I'm inclined to leave it as-is for Wheezy. Agreed? weechat / CVE-2012-5534 / CVE-2012-5854 There's a tpu request in #693702 cityhash / CVE-2012-6051 Given the circumstances (694999) I think removal from Wheezy is the way to go forward. gimp / CVE-2012-5576 Blocked by missing s390x build. I've contacted the buildd maints, but got no reponse. Can anyone of you trigger a giveback? yui / CVE-2012-5881 CVE-2012-5882 CVE-2012-5883 This package is a complete mess, for Jessie we'll need to migrate all packages to yui3. For Wheezy we're stuck with two additional DFSG bugs. If they're wheezy-ignored I can fix the security issues in a NMU. qt4-x11 / CVE-2012-4929 The transition of the fix is blocked by the ia64 build failure. No idea where that is coming from? Cheers, Moritz -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
