Control: severity -1 important Control: retitle -1 wicd-daemon: please don't list the vulnerable dhcpcd5 first in the OR'ed dependencies
Hi, Vincent Lefevre wrote: > Due to bug 852343, wicd-daemon now depends on > > dhcpcd5 | isc-dhcp-client | pump | udhcpc Hrm. That bug report never has been closed. Ah, no, you were wrong: It's not due to #852343 (which is indeed still open), but due to #783272. > but dhcpcd5 has been vulnerable since at least 2014: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846938 > > (dhcpcd5: CVE-2014-7913). And as a consequence, wicd has now been > removed from testing: > > https://tracker.debian.org/news/965137/wicd-removed-from-testing/ For some reason unclear to me, it migrated back to testing less than a day later: https://packages.qa.debian.org/w/wicd/news/20180615T043913Z.html Found no according hint in https://release.debian.org/britney/hints/ and the bug has neither been fixed nor has been dhcpcd5 removed from Debian. > The unnecessary dependency on dhcpcd5 should be removed. I disagree: Neither should the dependency be removed no is it unnecessary. In contrary: It would be a policy violation if I (just) remove that dependency because wicd _has_ a relation with dhcpcd5 and hence requires a package relation with it. And already alone because of that it is surely not RC. The only thing I likely will change in wicd is to not keep dhcpcd5 as first of the alternative list of DHCP client dependencies, but move isc-dhcp-client to the first position. Retitling the bug report accordingly and lowering the severity. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
