Bug#1093386: RM: libnet-easytcp-perl/0.26-6

Discussion:

Add Reply

Salvatore Bonaccorso

2025-01-17 21:30:01 UTC

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libnet-easytcp-***@packages.debian.org, Debian Perl Group <pkg-perl-***@lists.alioth.debian.org>, Gunnar Wolf <***@debian.org>, ***@security.debian.org, ***@debian.org, ***@debian.org
Control: affects -1 + src:libnet-easytcp-perl
User: ***@packages.debian.org
Usertags: rm

Dear SRM,

This is the corresponding removal request for libnet-easytcp-perl from
stable, relating to #1093385 for unstable and testing.

libnet-easytcp-perl has security issues (CVE-2024-56830, note not the
same as CVE-2002-20002) where it fallsback to Perl's builtin rand() if
no strong randomization module is present, and Crypt::Random is not
packaged and used.

Furthermore is upstream basically unmaintained, the last version was
0.26 from 2004.

Additionally it has low popcon, so I think it is affordable for
removal.

It can be removed from stable:

|$ dak rm --suite=bookworm -n -R libnet-easytcp-perl
|Will remove the following packages from bookworm:
|
|libnet-easytcp-perl | 0.26-6 | source, all
|
|Maintainer: Debian Perl Group <pkg-perl-***@lists.alioth.debian.org>
|
|------------------- Reason -------------------
|
|----------------------------------------------
|
|Checking reverse dependencies...
|No dependency problem found.

Regards,
Salvatore

Debian Bug Tracking System

2025-01-17 21:30:01 UTC

Permalink

Post by Salvatore Bonaccorso
affects -1 + src:libnet-easytcp-perl

Bug #1093386 [release.debian.org] RM: libnet-easytcp-perl/0.26-6
Added indication that 1093386 affects src:libnet-easytcp-perl

--
1093386: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093386
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems

Holger Levsen

2025-01-17 21:50:01 UTC

Permalink

hi Salvatore!

Post by Salvatore Bonaccorso
This is the corresponding removal request for libnet-easytcp-perl from
stable, relating to #1093385 for unstable and testing.
libnet-easytcp-perl has security issues (CVE-2024-56830, note not the
same as CVE-2002-20002) where it fallsback to Perl's builtin rand() if
no strong randomization module is present, and Crypt::Random is not
packaged and used.
Furthermore is upstream basically unmaintained, the last version was
0.26 from 2004.
Additionally it has low popcon, so I think it is affordable for
removal.

should this be communicated via src:debian-security-support as well?
--
cheers,
Holger

â¢â£Žâ Ÿâ »â¢¶â£Šâ
â£Ÿâ â¢ â â â£¿â¡ holger@(debian|reproducible-builds|layer-acht).org
â¢¿â¡â â ·â â â OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
â â ³â£

Never waste a crisis.

Salvatore Bonaccorso

2025-01-18 17:00:01 UTC

Permalink

Hi Holger,

Post by Holger Levsen
hi Salvatore!

should this be communicated via src:debian-security-support as well?

Yes maybe additionally to the removal from bookworm in the next point
release this should be marked as well as unsupported, I have done a MR
for debian-security-support:
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/34

Adding Moritz to get an ack/peer review.

Regards,
Salvatore

Holger Levsen

2025-01-20 10:20:01 UTC

Permalink

Hi Salvatore & Moritz,

Post by Salvatore Bonaccorso

Post by Holger Levsen

Post by Salvatore Bonaccorso
This is the corresponding removal request for libnet-easytcp-perl from
stable, relating to #1093385 for unstable and testing.

should this be communicated via src:debian-security-support as well?

Yes maybe additionally to the removal from bookworm in the next point
release this should be marked as well as unsupported, I have done a MR
https://salsa.debian.org/debian/debian-security-support/-/merge_requests/34

ok, great, thank you.

Post by Salvatore Bonaccorso
Adding Moritz to get an ack/peer review.

ok, will wait for that before merging and uploading.
--
cheers,
Holger

â¢â£Žâ Ÿâ »â¢¶â£Šâ
â£Ÿâ â¢ â â â£¿â¡ holger@(debian|reproducible-builds|layer-acht).org
â¢¿â¡â â ·â â â OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
â â ³â£

Wir sollten allen MilliardÃ€ren weltweit ein Ultimatum setzen: Wenn ihr in
einem Jahr die Klimakrise nicht gelÃ¶st habt, werdet ihr enteignet!â
(@nicosemsrott)