Hi Tony! Thanks for your reply, dropping LTS list since reply is specific for oldstable, stable and unstable.
On Wed, Nov 22, 2017 at 03:32:36PM -0800, tony mancill wrote: > On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote: > > On 08/11/17 20:19, Ola Lundqvist wrote: > > > Hi > > > > > > Considering that this package is about to be removed from jessie I > > > guess it should be removed from wheezy too. How is that done? Should I > > > contact the FTP maintainers about it, or do we simply ignore the > > > issue? > > > > We don't have point releases, so I'm not sure we can get a package removed > > at > > this stage without extra work by the ftp masters. So our options would be: > > > > - mark as no-dsa if it's not important enough > > - mark as unsupported / end-of-life > > - fix it > > - get it removed > > > > The issue seems only exploitable if it's used by a service that is exposed > > remotely or to other issues... and has no rdeps in wheezy. OTOH there is at > > least one sponsor using that package. So removing it may not be the best > > course > > given there is a proposed patch. So I'd go with either no-dsa or fix it, > > depending on the assessed importance. > > Hi, > > My apologies for taking a while to join the thread. As the most recent > uploader of this package, I feel responsible for helping get it into a > safe state if we opt to keep it. However, I am not an active user, so > if the package is to remain in Debian, it might be better to transition > it to the Debian Perl Team (assuming that is amenable to the team). > > I tend to agree with Emilio that removing it might not be the best > course of action for our users, particularly given that we have a patch > and the popcon [1] is non-zero. Removing it from the distribution seems > like it merely leaves users with a known vulnerability. Also, the > package might be used in derivatives. > > I agree with Simon that it's a little odd for the patch to bump the > version. (OTOH, it makes it much easier to differentiate from the > vulnerable 0.15.) Still, I am inclined to take the patch as a patch > against upstream 0.15 for the upload to unstable and then backport it > for 0.13 for stable and oldstable. Or perhaps Alexandr Ciornii (on the > cc) would be willing to release 0.16 including the patch. > > Thoughts? The package is basically "unmaintained" (upstream)[*] and for almost 10 years did not address https://rt.cpan.org/Public/Bug/Display.html?id=33230 (maybe you can argue, as well a fault for various "downstreams" to not notice and bring that earlier up, defintively. I wonder why only now it got attention on oss-security, for which I then requested a CVE) IMHO the best course of action is still to have it removed, in all suites. For unstable, so that it's not included in buster. And for oldstable and stable (as scheduled for the upcoming point releases) via the point release announcements. The announcement will contain a section which packages are removed from Debian, and for which reason, so still users of Net::Ping::External are informed. I agree as well that if one starts to argue that way that there are old packages which do not see updates from upstream, then a whole more should be removed from Debian ;-). My point was not this though, I'm concernend that there was a bug with security implications for almost 10 years reported in public bugtracker, without even a reply to it to acknowledge the problem. Regards, Salvatore [*] well not exactly, I know there was e.g. 0.15, so there is activity, but see remaining of sentence.
