Chris Knadle writes ("Bug#682010: [mumble] Communication failures due to CELT
codec library removal"):
> Package: tech-ctte
> Severity: normal
...
> This refers to Bug #675971 (which is severity grave, and currently closed)
> against the Mumble VoIP package, which is also affected by Bug #674650
> concerning the removal of the CELT library. This evening we also just
> discovered the existence of Bug #674634 which concerns the CELT library
> removal as well, and which may have more of the technical story.
Thanks for this, including the clear summary.
> - From the point of view of the bug reporters, what we want is a
> package that inter-operates with other Mumble clients and servers,
> if possible. To do this today would require reintroducing the celt
> source package again, which is rumored to have potential security issues.
> [We have not seen any details on this yet.]
>
> Note: this evening we think we have found a security expert who is
> willing to audit the CELT 0.7.1 codec for issues and possibly provide
> patches, assuming this is reasonably feasible.
This sounds like a good option to me. I will write to the security
team and ask them for their opinion about CELT.
>From what you say I think:
- We should try to address the security problems, if any, in the celt
0.7.1 codec. An audit would be very good.
- This is a serious problem for mumble at least and is arguably RC.
Do you have people who are willing to be the maintainer(s) and (if
necessary) sponsor(s) for the celt package ?
I assume it would be possible to reintroduce a celt package which was
very similar to the one recently removed, so as to avoid risking
unnecessary bugs.
Ian.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
