Control: clone -1 -2 -3 Control: reassign -2 ftpmasters Control: retitle -2 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous Control: reassign -3 release.debian.org Control: retitle -3 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous Control: user release.debian....@packages.debian.org Control: usertag -3 rm
On mar., 2012-11-13 at 21:56 +0100, Yves-Alexis Perez wrote: > On mar., 2012-11-13 at 09:00 -0800, Ian Zimmerman wrote: > > Jan> Is it possible to reproduce that xscreensaver crash also without > > Jan> libpam-rsa module being used? (when using pam-unix login > > Jan> alternative with the same scenario) > > > > No, it doesn't happen with pam-unix. This had been kicked around the > > debian security team for a couple of days before this bug was posted. > > You may want to contact them to coordinate your response. > > > Yes, we were made aware of the issue. > > Seeing the gravity of the bug, the number of people using it, the time > of last (upstream) release and the number of NMU, we're considering just > removing it from Debian altogether, unless you have a decisive argument > to keep it (and fix the bug quickly). > Doing this now (hoping the Control: syntax will work). ftpmasters, release team: the security team is requesting the removal of the pam-rsa package because we were made aware of the above (#693087) bug: in some situations, pam_rsa module will cause a segfault in xscreensaver, leaving the screen unlocked. Package seeems to be mostly abandonned upstream (last release in 2007, called a “beta release” and no answer from the bug address on the upstream webpage) and, although the Debian maintainer seems around, there were only NMUs since 2007. In our opinion, considering the low pam-rsa usage (and even questionning the real benefit of the package) it'd be just best to remove it altogether. Thus, we'd like the removal from at least testing and unstable. For stable, I'm a bit unsure about how we're supposed to handle a package disparition in stable, so I'm available for discussion (although we don't think it's really supportable in the current state). Thanks in advance, -- Yves-Alexis, for the security team
signature.asc
Description: This is a digitally signed message part
