Bug#881102: RM: libnet-ping-external-perl -- RoQA; unmaintained upstream, contains security issue for several years unadressed

[Brian May]

On Tue, Nov 07, 2017 at 09:14:17PM +0100, Salvatore Bonaccorso wrote:
> There are no packages depending on it in Debian, so it looks the
> safest course of action is to remove it from unstable (possibly as
> well from other suites later on via point release) and not having it
> included in buster.

This package should be removed from wheezy too. Please let me know if I
need a seperate bug for wheezy, for now reusing the same bug for sid and
testing.

This package was removed from Jessie and Stretch in the latest point
release.

For more additional discussion see:

http://www.openwall.com/lists/oss-security/2017
https://bugs.debian.org/881097
https://lists.debian.org/debian-lts/2017/12/msg9.html

I note that initially there was some disgreement as to if this package
should be removed or not from Wheezy. However I believe the consensus
now is that it should get removed. Especially as it has been removed
from Jessie and Stretch.
-- 
Brian May 

Bug#881102: RM: libnet-ping-external-perl -- RoQA; unmaintained upstream, contains security issue for several years unadressed

[Salvatore Bonaccorso]

Package: ftp.debian.org
Severity: normal

Hi

As prompted by http://www.openwall.com/lists/oss-security/2017/11/07/4
and has been reported to the BTS as #881097:

libnet-ping-external-perl is basically unmaintained upstream and has a
command injection vulnerability reported upstream without having had a
reply. Thus thinking this is basically unmaintained upstream. The same
version is back in wheezy.

There are no packages depending on it in Debian, so it looks the
safest course of action is to remove it from unstable (possibly as
well from other suites later on via point release) and not having it
included in buster.

Regards
Salvatore