[Secure-testing-commits] r56244 - data
Hugo Lefeuvre
hle at moszumanska.debian.org
Fri Sep 29 13:13:25 UTC 2017
Author: hle
Date: 2017-09-29 13:13:25 +0000 (Fri, 29 Sep 2017)
New Revision: 56244
Modified:
data/dla-needed.txt
Log:
Unclaim mp3gain in dla-needed and add some notes.
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-09-29 12:49:10 UTC (rev 56243)
+++ data/dla-needed.txt 2017-09-29 13:13:25 UTC (rev 56244)
@@ -78,9 +78,11 @@
--
mosquitto (Roger A. Leigh/Gianfranco Costamagna)
--
-mp3gain (Hugo Lefeuvre)
- NOTE: successfully reproduced CVE-2017-14409 and CVE-2017-14407.
- NOTE: bundles a modified, old version of mpg123 under mpglibDBL/, so issues might be already discovered/fixed in mpg123 (or lame?)
+mp3gain
+ NOTE: Successfully reproduced CVE-2017-144{09, 07} but couldn't reproduce CVE-2017-144{06, 08, 10, 11, 12} (valgrind in Wheezy, gcc+asan in Jessie).
+ NOTE: Bundles a modified, old version of mpg123 under mpglibDBL/, so issues might be already discovered/fixed in mpg123 or lame:
+ NOTE: For CVE-2017-14409, https://security-tracker.debian.org/tracker/CVE-2017-9872 might be of interest, files are very similar
+ NOTE: adapting/writing patches seems to be very time consuming, mp3gain is dead upstream so this might be a candidate for no-dsa -- Hugo Lefeuvre
--
mysql-connector-python
NOTE: 20170927: Wait for more issues (see ML: https://lists.debian.org/debian-lts/2017/08/msg00039.html) -- Hugo Lefeuvre
More information about the Secure-testing-commits
mailing list