2010/3/15 Holger Hans Peter Freyther <[email protected]>: > On Monday 08 March 2010 13:51:35 Holger Hans Peter Freyther wrote: >> On Monday 08 March 2010 13:42:07 Dr. Michael Lauer wrote: >> > While I'm not using it atm., I recall that samba-essential was the only >> > recipe that worked relatively painless when Matthias Hentges create it >> > back then. >> >> Then please fix it. You will do a great service to our users. The following >> CVEs are not addressed: >> CVE-2009-2813, CVE-2009-2948, CVE-2009-2906, CVE-2009-1888, >> CVE-2008-4314, CVE-2008-1105, CVE-2007-6015, CVS-2007-4572, CVE-2007-5398, >> CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-0452, CVE-2007-0453, >> CVE-2007-0454, CAN-2006-1059.. > > > any update? Is anyone volunteering to update samba-essential or shall we > remove it from the tree? I think we have a responsibility to our users that if > we install a network daemon that we at least fix the known security issues > with > this one or remove it from our recipe collection... Opinions?
Do we feel we have that responsibility? I didn't feel that sentiment when it came to removing other legacy recipes (some of which definitely also will have security issues). E.g. for openssl we have openssl_0.9.7e.bb openssl_0.9.7g.bb openssl_0.9.7m.bb openssl_0.9.8g.bb openssl_0.9.8m.bb I'm pretty certain the last one will fix some vulnerabilities present in the first one. The same probably holds for all network related stuff (nfs, apache, php, cups, ...) Btw this is not a volunteering proposal from my side. I haven't recovered from being burned last time. Frans PS: I'm in favour of keeping samba-essential. In an embedded system lightweight solutions are often desirable. _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel
