On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote:
> Adding the radare2 uploaders to CC.
>
> On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote:
> > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in
> > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch.
> > >> Should we
> > >> + NOTE: continue the current approach, update to a newer upstream
> > >> version or mark
> > >> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian
> > >> challenge...
> > >> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo)
> > >
> > > I'd be in favor of marking radare2 as unsupported, probably even for
> > > stable,
> > > but definitly for oldstable and older.
> > >
> > > I'd be happy to do these changes in src:debian-security-tracker and
> > > uploading this to sid.
> >
> > +1
> >
> > I just noticed that we are not consistent with fixing CVE in radare2 and
> > I would also be in favor of marking it as unsupported. Another option
> > would be to package always the latest upstream release and backport that
> > to stable and oldstable but it seems we already lag behind a few
> > versions in unstable, so I'd rather choose the first option.
>
> The upstream link makes it sound as if they are one of those upstreams
> which reject the idea of distributions shipping an older release to
> a stable distro. For a tool like radare2 that seems fair enough, so
> how about simply excluding it from stable releases (and retroactively
> drop it from Buster/Stretch in the forthcoming point releases)?
Hilko/Sebastian,
as the last uploaders; what do you think? How should we proceed wrt radare in
oldstable/stable?
Cheers,
Moritz
