Bug#1043161: i2p: CVE-2023-36325
Hi, On Fri, Nov 10, 2023 at 10:05:44AM +0100, Pierre Gruet wrote: > Hi Salvatore, > > I am doing some QA overseeeing, I am not the maintainer of i2p. I NMUed it > one year and a half ago, nothing has happened since then. > > On Sun, 06 Aug 2023 21:26:51 +0200 Salvatore Bonaccorso > wrote: > > Source: i2p > > Version: 0.9.48-1.1 > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > Hi, > > > > The following vulnerability was published for i2p. > > > > CVE-2023-36325[0]: > > | Attackers can de-anonymize i2p hidden services with a message replay > > | attack > > > > Should i2p be removed from unstable? > > - I feel fixing the CVE would require packaging last upstream version (which > fixed it), Debian version is far behind it, upstream has changed its build > system so a simple NMU is not the solution; > - I don't feel the maintainer still has interest into this package, which he > has not touched for 3 years; > - There is another RC bug #1031817 needing being worked on, upstream has not > addressed it yet; > - i2p has not been in a Debian release since buster; > - its popcon is quickly decreasing; > - there is only one rdep, syndie, with the same maintainer, it has not seen > an upload in 4 years and has a near-zero popcon. > > I would indeed suggest removing the package and syndie (RoQA) after letting > some time to the maintainer to respond. Keeping these two packages in > unstable seems only harmful right now. > > What do you think? I agree on this course of action, by now I believe it is the best thing to not have the package in unstable neither, unless it get rebased to a new upstream version (including addressing this CVE). That said syndie is as well maintained by Masayuki Hatta . Bcc'ing the maintainer with some known email addresses. Regards, Salvatore
Bug#1043161: i2p: CVE-2023-36325
Hi again, Just for the sake of clarity: below I suggested a path to removal but I want to make it clear I don't intend to undertake such action, disrespecting the maintainer. Debian processes have to be respected. Best, -- Pierre Le 10/11/2023 à 10:05, Pierre Gruet a écrit : Hi Salvatore, I am doing some QA overseeeing, I am not the maintainer of i2p. I NMUed it one year and a half ago, nothing has happened since then. On Sun, 06 Aug 2023 21:26:51 +0200 Salvatore Bonaccorso wrote: > Source: i2p > Version: 0.9.48-1.1 > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Hi, > > The following vulnerability was published for i2p. > > CVE-2023-36325[0]: > | Attackers can de-anonymize i2p hidden services with a message replay > | attack > > Should i2p be removed from unstable? - I feel fixing the CVE would require packaging last upstream version (which fixed it), Debian version is far behind it, upstream has changed its build system so a simple NMU is not the solution; - I don't feel the maintainer still has interest into this package, which he has not touched for 3 years; - There is another RC bug #1031817 needing being worked on, upstream has not addressed it yet; - i2p has not been in a Debian release since buster; - its popcon is quickly decreasing; - there is only one rdep, syndie, with the same maintainer, it has not seen an upload in 4 years and has a near-zero popcon. I would indeed suggest removing the package and syndie (RoQA) after letting some time to the maintainer to respond. Keeping these two packages in unstable seems only harmful right now. What do you think? > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36325 > https://www.cve.org/CVERecord?id=CVE-2023-36325 > [1] https://xeiaso.net/blog/CVE-2023-36325 > > Regards, > Salvatore > > Best, OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1043161: i2p: CVE-2023-36325
Hi Salvatore, I am doing some QA overseeeing, I am not the maintainer of i2p. I NMUed it one year and a half ago, nothing has happened since then. On Sun, 06 Aug 2023 21:26:51 +0200 Salvatore Bonaccorso wrote: > Source: i2p > Version: 0.9.48-1.1 > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Hi, > > The following vulnerability was published for i2p. > > CVE-2023-36325[0]: > | Attackers can de-anonymize i2p hidden services with a message replay > | attack > > Should i2p be removed from unstable? - I feel fixing the CVE would require packaging last upstream version (which fixed it), Debian version is far behind it, upstream has changed its build system so a simple NMU is not the solution; - I don't feel the maintainer still has interest into this package, which he has not touched for 3 years; - There is another RC bug #1031817 needing being worked on, upstream has not addressed it yet; - i2p has not been in a Debian release since buster; - its popcon is quickly decreasing; - there is only one rdep, syndie, with the same maintainer, it has not seen an upload in 4 years and has a near-zero popcon. I would indeed suggest removing the package and syndie (RoQA) after letting some time to the maintainer to respond. Keeping these two packages in unstable seems only harmful right now. What do you think? > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36325 > https://www.cve.org/CVERecord?id=CVE-2023-36325 > [1] https://xeiaso.net/blog/CVE-2023-36325 > > Regards, > Salvatore > > Best, -- Pierre OpenPGP_signature.asc Description: OpenPGP digital signature
Bug#1043161: i2p: CVE-2023-36325
Source: i2p Version: 0.9.48-1.1 Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for i2p. CVE-2023-36325[0]: | Attackers can de-anonymize i2p hidden services with a message replay | attack Should i2p be removed from unstable? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36325 https://www.cve.org/CVERecord?id=CVE-2023-36325 [1] https://xeiaso.net/blog/CVE-2023-36325 Regards, Salvatore
