[Duplication]
No duplication for this functionality in main at the moment.
[Embedded sources and static linking]
This package does not contain embedded library sources.
This package doe not statically link to libraries.
No Go package
[Security]
I can confirm that there seems to be no CVE/Security history for this package.
It Does not:
- run a daemon as root
- uses old webkit
- uses lib*v8 directly
- opens a port
- uses centralized online accounts
- integrates arbitrary javascript into the desktop
- deals with system authentication
But it does
- processes arbitrary smtp content
- parse data formats
Therefore a security review should be performed on this package.
[Common blockers]
- builds fine at the moment
- utilizes build time self tests
- utilizes (rather trivial) smoke test as autopkgtest.
- server Team committed to subscribe once this gets promoted (enough for now)
- code is not user visible, no translation needed
- dh_python is used
- package produces python2 bits, but they are not pulled into main by mailman3
[Packaging red flags]
- no current ubuntu Delta to evaluate
- no library with classic symbol tracking
- watch file is present
- Lintian warnings are present bug ok
- debian/rules is rather clean
- no usage of Built-Using
- no golang package that would make things harder
[Upstream red flags]
- no suspicious errors during build
- it is pure python, so no incautious use of malloc/sprintf
- no use of sudo, gksu
- no use of pkexec
- no use of LD_LIBRARY_PATH
- no important open bugs
- no Dependency on webkit, qtwebkit, libgoa-*
- no embedded copies in upstream either
[Summary]
MIR Team Ack as the package seems small, easy and sane to me.
As outlined above due to its processing of mails which can be crafted
I'll assign it to security for review.
** Changed in: flufl.bounce (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1820191
Title:
[MIR] flufl.bounce as dependency of mailman3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/flufl.bounce/+bug/1820191/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
