[Pkg-matrix-maintainers] Bug#1080047: Should node-matrix-js-sdk be removed from unstable?

Helmut Grohne helmut at subdivi.de
Fri Aug 30 06:33:15 BST 2024 

Source: node-matrix-js-sdk
Severity: serious
Justification: grab attention of maintainer
User: helmutg at debian.org
Usertags: sidremove

Dear maintainer,

I suggest removing node-matrix-js-sdk from Debian for the following reasons:
 * It accumulated 4 RC-bugs:
   + #994213: node-matrix-js-sdk: CVE-2021-40823: E2EE vulnerability
     Last modified: 2 years

   + #1018970: node-matrix-js-sdk: CVE-2022-36059
     Last modified: 1 year, 11 months

   + #1021136: node-matrix-js-sdk: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251
     Last modified: 1 year, 10 months

   + #1033621: node-matrix-js-sdk: CVE-2023-28427
     Last modified: 1 year, 5 months

 * It is not part of bookworm or trixie and is not a key package.

This bug serves as a pre-removal warning. After one month, the bug will be
reassigned to ftp.debian.org to actually request removal of the package.

In case the package should be kept in unstable, please evaluate each of the
RC-bugs listed above.
 * If the bug is meant to prevent the package from entering testing or a stable
   release, but this package should stay part of unstable, please add a
   usertag:

       user helmutg at debian.org
       usertags NNN + sidremove-ignore

 * If the bug no longer applies, please close it. If it is closed, check
   whether the fixed version is correct and adjust if necessary.

 * Is the bug really release-critical? If not, please downgrade.

 * If the bug still applies, please send a status update at least once a year.

Once all of the mentioned RC bugs have been acted upon in one way or another,
please close this bug.

In case the package should be removed from unstable, you may reassign this
bug report:

    Control: severity -1 normal
    Control: retitle -1 RM: node-matrix-js-sdk -- RoM; rc-buggy
    Control: reassign -1 ftp.debian.org
    Control: affects -1 + src:node-matrix-js-sdk

Alternatively, you may wait a month and have it reassigned.

In case you disagree with the above, please downgrade this bug below RC
severity. Doing so will also prevent automatic reassignment.

Kind regards

A tool for automatically removing packages from unstable

This bug report has been automatically filed with little human intervention.
If the filing is unclear or in error, don't hesitate to contact
Helmut Grohne <helmut at subdivi.de> for assistance.

More information about the Pkg-matrix-maintainers mailing list