[pkg-wicd-maint] Bug#901592: wicd-daemon: please remove the vulnerable dhcpcd5 from the OR'ed dependencies
abe at debian.org
Fri Jun 15 11:37:31 BST 2018
Control: severity -1 important
Control: retitle -1 wicd-daemon: please don't list the vulnerable dhcpcd5 first in the OR'ed dependencies
Vincent Lefevre wrote:
> Due to bug 852343, wicd-daemon now depends on
> dhcpcd5 | isc-dhcp-client | pump | udhcpc
Hrm. That bug report never has been closed. Ah, no, you were wrong:
It's not due to #852343 (which is indeed still open), but due to
> but dhcpcd5 has been vulnerable since at least 2014:
> (dhcpcd5: CVE-2014-7913). And as a consequence, wicd has now been
> removed from testing:
For some reason unclear to me, it migrated back to testing less than a
Found no according hint in
https://release.debian.org/britney/hints/ and the bug has neither been
fixed nor has been dhcpcd5 removed from Debian.
> The unnecessary dependency on dhcpcd5 should be removed.
I disagree: Neither should the dependency be removed no is it
In contrary: It would be a policy violation if I (just) remove that
dependency because wicd _has_ a relation with dhcpcd5 and hence
requires a package relation with it. And already alone because of that
it is surely not RC.
The only thing I likely will change in wicd is to not keep dhcpcd5 as
first of the alternative list of DHCP client dependencies, but move
isc-dhcp-client to the first position.
Retitling the bug report accordingly and lowering the severity.
,''`. | Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the pkg-wicd-maint