All, Many packages have been masked in the tree for months - years with no signs of fixes.
I am particularly concerned about packages with known security vulnerabilities staying in the main tree masked. If people want to keep using those packages, I don't want to stop them, but packages like this should be in an overlay, not the main tree. On 28 Jan, I will go through this list again, from oldest to newest, first focusing on packages with known security issues. Any of these that I find still in p.mask or with no fixes but still in the main tree will be removed then. # Patrick Lauer <patr...@gentoo.org> (24 Nov 2014) # Missing deps, uninstallable app-misc/email2trac www-apps/trac-downloads # Jauhien Piatlicki <jauh...@gentoo.org> (5 Oct 2014) # Masked because of bug 524390: privilege escalation # until upstream fixes this security issue. # Use at your own risk <x11-misc/sddm-0.10.0 # Sergey Popov <pinkb...@gentoo.org> (04 Sep 2014) # Security mask, wrt bugs #488212, #498164, #500260, # #507802 and #518718 <virtual/mysql-5.5 <dev-db/mysql-5.5.39 <dev-db/mariadb-5.5.39 # Chí-Thanh Christopher Nguyễn <chith...@gentoo.org> (03 Sep 2014) # Markos Chandras <hwoar...@gentoo.org> (02 Sep 2014) # MSN service terminated. # You can still use your MSN account in net-im/skype # or switch to an open protocol instead # Masked for removal in 30 days net-im/amsn x11-themes/amsn-skins # Christian Faulhammer <fa...@gentoo.org> (02 Sep 2014) # website not working anymore and will stay like this, # tool is useless. See bug 504734 app-admin/hwreport # Ulrich Müller <u...@gentoo.org> (15 Jul 2014) # Permanently mask sys-libs/lib-compat and its reverse dependencies, # pending multiple security vulnerabilities and QA issues. # See bugs #515926 and #510960. sys-libs/lib-compat sys-libs/lib-compat-loki games-action/mutantstorm-demo games-action/phobiaii games-emulation/handy games-fps/rtcw games-fps/unreal games-strategy/heroes3 games-strategy/heroes3-demo games-strategy/smac sys-block/afacli # Mike Gilbert <flop...@gentoo.org> (13 Jun 2014) # Masked due to security bug 499870. # Please migrate to net-misc/libreswan. # If you are a Gentoo developer, feel free to pick up maintenence of openswan # and remove this mask after resolving the security issue. net-misc/openswan # Mike Gilbert <flop...@gentoo.org> (10 Jun 2014) # Tom Wijsman <tom...@gentoo.org> (8 Jun 2014) # Mask VLC ebuilds that are affected with security bug CVE-2013-6934: # # A vulnerability has been discovered in VLC Media Player, which can be # exploited by malicious people to compromise a user's system. # # Some ebuilds also have other buffer and integer overflow security bugs like # CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283. # # Users should consider to upgrade VLC Media Player to at least version 2.1.2. <media-video/vlc-2.1.2 # Tom Wijsman <tom...@gentoo.org> (6 Jun 2014) # Tom Wijsman <tom...@gentoo.org> (6 Jun 2014) # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153. # # Pinkie Pie discovered an issue in the futex subsystem that allows a # local user to gain ring 0 control via the futex syscall. An # unprivileged user could use this flaw to crash the kernel (resulting # in denial of service) or for privilege escalation. # # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153 =sys-kernel/gentoo-sources-3.2.58-r2 ~sys-kernel/gentoo-sources-3.4.90 =sys-kernel/gentoo-sources-3.4.91 ~sys-kernel/gentoo-sources-3.10.40 =sys-kernel/gentoo-sources-3.10.41 ~sys-kernel/gentoo-sources-3.12.20 =sys-kernel/gentoo-sources-3.12.21 ~sys-kernel/gentoo-sources-3.14.4 =sys-kernel/gentoo-sources-3.14.5 # Tom Wijsman <tom...@gentoo.org> (30 May 2014) # CVE-2012-1721 - Remote Code Execution Vulnerability # # Vulnerable: IBM Java SE 5.0 SR12-FP5 # URL: http://www.securityfocus.com/bid/53959/ dev-java/ibm-jdk-bin:1.5 # Alexander Vershilov <qni...@gentoo.org> (02 Apr 2014) # Multiple vulnerabilities, see #504724, #505860 <sys-kernel/openvz-sources-2.6.32.85.17 # Chí-Thanh Christopher Nguyễn <chith...@gentoo.org> (26 Mar 2014) # Affected by multiple vulnerabilities, #445916, #471098 and #472280 <media-libs/mesa-9.1.4 # Sergey Popov <pinkb...@gentoo.org> (20 Mar 2014) # Security mask of vulnerable versions, wrt bug #424167 <net-nds/openldap-2.4.35 # Michael Weber <x...@gentoo.org> (9 Jul 2013) # Masked for security bug 450746, CVE-2012-6095 <net-ftp/proftpd-1.3.4c # Samuli Suominen <ssuomi...@gentoo.org> (30 Oct 2011) # Masked for security bug #294253, use only at your own risk! =media-libs/fmod-3* games-puzzle/candycrisis games-simulation/stoned-bin games-sports/racer-bin games-strategy/dark-oberon games-strategy/savage-bin # Chris Gianelloni <wolf3...@gentoo.org> (03 Mar 2008) # Masking due to security bug #194607 and security bug #204067 games-fps/doom3 games-fps/doom3-cdoom games-fps/doom3-chextrek games-fps/doom3-data games-fps/doom3-demo games-fps/doom3-ducttape games-fps/doom3-eventhorizon games-fps/doom3-hellcampaign games-fps/doom3-inhell games-fps/doom3-lms games-fps/doom3-mitm games-fps/doom3-phantasm games-fps/doom3-roe games-fps/quake4-bin games-fps/quake4-data games-fps/quake4-demo # Tavis Ormandy <tav...@gentoo.org> (21 Mar 2006) # masked pending unresolved security issues #127167 games-roguelike/slashem # Tavis Ormandy <tav...@gentoo.org> (21 Mar 2006) # masked pending unresolved security issues #125902 games-roguelike/nethack games-util/hearse # <klie...@gentoo.org> (01 Apr 2004) # The following packages contain a remotely-exploitable # security vulnerability and have been hard masked accordingly. # # Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info # games-fps/unreal-tournament-goty games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks games-fps/aaut Thanks, William
signature.asc
Description: Digital signature
