Source: python-zxcvbn Version: 4.4.28-3 Severity: serious Control: affects -1 pass-extension-audit pwdsphinx secrets
It was reported that the maintainer of this package seems to be MIA (and there were no maintainer uploads since 2019). At the same time, the package upstream seems to be dead: https://github.com/dwolfhub/zxcvbn-python/issues/73 (and there were no commits since 2021 and no releases since 2019). As the upstream bug correctly notes, this is a security-sensitive package, so it's worrying that people can be relying on it while it's abandoned. Scott Kitterman even suggested removing it from Debian but is has revdeps: pass-extension-audit/src:pass-audit The only upload to Debian in 2022, last upstream release 2022, zxcvbn is a hard req per setup.cfg. Popcon 20. No revdeps. pwdsphinx All Debian uploads in 2023, last upstream release in 2023. zxcvbn (actually zxcvbn-python, which is an older version of zxcvbn per https://pypi.org/project/zxcvbn-python) is a hard req per setup.py. Popcon 2. No revdeps outside the source package. secrets Fairly active both in Debian and upstream. A GNOME app. zxcvbn is a hard req per meson.build. Popcon 224. No revdeps outside the source package. -- System Information: Debian Release: trixie/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.7.9-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
