[pkg-wicd-maint] Bug#901592: wicd-daemon: please remove the vulnerable dhcpcd5 from the OR'ed dependencies

Axel Beckert abe at debian.org
Fri Jun 15 11:37:31 BST 2018

Control: severity -1 important
Control: retitle -1 wicd-daemon: please don't list the vulnerable dhcpcd5 first in the OR'ed dependencies


Vincent Lefevre wrote:
> Due to bug 852343, wicd-daemon now depends on
>   dhcpcd5 | isc-dhcp-client | pump | udhcpc

Hrm. That bug report never has been closed. Ah, no, you were wrong:
It's not due to #852343 (which is indeed still open), but due to

> but dhcpcd5 has been vulnerable since at least 2014:
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846938
> (dhcpcd5: CVE-2014-7913). And as a consequence, wicd has now been
> removed from testing:
>   https://tracker.debian.org/news/965137/wicd-removed-from-testing/

For some reason unclear to me, it migrated back to testing less than a
day later:


Found no according hint in
https://release.debian.org/britney/hints/ and the bug has neither been
fixed nor has been dhcpcd5 removed from Debian.

> The unnecessary dependency on dhcpcd5 should be removed.

I disagree: Neither should the dependency be removed no is it

In contrary: It would be a policy violation if I (just) remove that
dependency because wicd _has_ a relation with dhcpcd5 and hence
requires a package relation with it. And already alone because of that
it is surely not RC.

The only thing I likely will change in wicd is to not keep dhcpcd5 as
first of the alternative list of DHCP client dependencies, but move
isc-dhcp-client to the first position.

Retitling the bug report accordingly and lowering the severity.

		Regards, Axel
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

More information about the pkg-wicd-maint mailing list