Bug#887551: [request-tracker-maintainers] Bug#887551: request-tracker4 depends on libemail-address-perl

[Dominic Hargreaves]

On Wed, Jan 17, 2018 at 09:05:18PM +0100, Pali Rohár wrote:
> Hi! Package request-tracker4 depends on libemail-address-perl which is
> vulnerable to CVE-2015-7686, see bug #868170. libemail-address-perl
> provides perl module Email::Address which is now unmaintained. There is
> a new perl module Email::Address::XS which is API compatible replacement
> for Email::Address and is available in libemail-address-xs-perl. Please
> port request-tracker4 package to use libemail-address-xs-perl. If you need
> help with porting let me know.

Thanks for the heads up. Upstream is going to look at this for the 4.6
cycle. Given that request-tracker4 is far from being the only reverse
dependency at the moment, I don't plan to look at accelerating this,
but I would happily take a working patch into Debian sooner.

Cheers,
Dominic.

Bug#887551: request-tracker4 depends on libemail-address-perl

[Pali Rohár]

Package: request-tracker4
Version: 4.4.2-1
Severity: wishlist

Hi! Package request-tracker4 depends on libemail-address-perl which is
vulnerable to CVE-2015-7686, see bug #868170. libemail-address-perl
provides perl module Email::Address which is now unmaintained. There is
a new perl module Email::Address::XS which is API compatible replacement
for Email::Address and is available in libemail-address-xs-perl. Please
port request-tracker4 package to use libemail-address-xs-perl. If you need
help with porting let me know.

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: PGP signature