commit: 4ac40f1280724fe6d38d3fdb53539a91975cfd23 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Jul 20 21:51:49 2020 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jul 20 21:51:49 2020 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ac40f12
profiles/package.mask: security mask net-libs/nDPI (+ reverse deps) Mask net-libs/nDPI and its reverse dependencies (ntopng, pmacct) unless / until a sustainable fix is found for the multiple serious vulnerabilities reported in nDPI. Upstream have an unstable API which often breaks reverse deps, making applying patches an unworkable solution for now. There is no fixed release upstream, nor is there a clear timeline for one being published. This bug has been open for a significant amount of time, and this mask is not with a view to removal, but to ensure users are aware of the risks of using this package. Bug: https://bugs.gentoo.org/719084 Signed-off-by: Sam James <sam <AT> gentoo.org> profiles/package.mask | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/profiles/package.mask b/profiles/package.mask index 2bf0241bf2a..f5f377cffd2 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -32,6 +32,20 @@ #--- END OF EXAMPLES --- +# Sam James <s...@gentoo.org> (2020-07-20) +# Serious security vulnerabilities, including +# remote code execution. Upstream have not yet +# made a stable release in response to numerous +# CVEs. Applying patches is not a workable +# solution for now because of the fragility +# of reverse dependencies. +# Indefinitely masking until we have a solution +# for this. +# bug #719084 +net-analyzer/ntopng +net-analyzer/pmacct +net-libs/nDPI + # Jaco Kroon <j...@uls.co.za> (2020-07-20) # net-misc/asterisk was only consumer, dependency now removed (due to failures # in osptoolkit build). No known users of USE=osplookup in net-misc/asterisk,
