1 |
All, |
2 |
|
3 |
these packages have been masked in the tree for months - years with no |
4 |
signs of fixes. |
5 |
|
6 |
I am particularly concerned about packages with known security |
7 |
vulnerabilities staying in the main tree masked. If people want to keep |
8 |
using those packages, I don't want to stop them, but packages like this |
9 |
should not be in the main tree. |
10 |
|
11 |
On 28 Jan, I will go through this list again, from oldest to newest, |
12 |
first focusing on packages with known security issues. Any of these that |
13 |
I find still in p.mask or with no activity on them but still in the |
14 |
main tree will be removed then. |
15 |
|
16 |
# Patrick Lauer <patrick@g.o> (24 Nov 2014) |
17 |
# Missing deps, uninstallable |
18 |
app-misc/email2trac |
19 |
www-apps/trac-downloads |
20 |
|
21 |
# Jauhien Piatlicki <jauhien@g.o> (5 Oct 2014) |
22 |
# Masked because of bug 524390: privilege escalation |
23 |
# until upstream fixes this security issue. |
24 |
# Use at your own risk |
25 |
<x11-misc/sddm-0.10.0 |
26 |
|
27 |
# Sergey Popov <pinkbyte@g.o> (04 Sep 2014) |
28 |
# Security mask, wrt bugs #488212, #498164, #500260, |
29 |
# #507802 and #518718 |
30 |
<virtual/mysql-5.5 |
31 |
<dev-db/mysql-5.5.39 |
32 |
<dev-db/mariadb-5.5.39 |
33 |
|
34 |
# Chí-Thanh Christopher Nguyễn <chithanh@g.o> (03 Sep 2014) |
35 |
# Markos Chandras <hwoarang@g.o> (02 Sep 2014) |
36 |
# MSN service terminated. |
37 |
# You can still use your MSN account in net-im/skype |
38 |
# or switch to an open protocol instead |
39 |
# Masked for removal in 30 days |
40 |
net-im/amsn |
41 |
x11-themes/amsn-skins |
42 |
|
43 |
# Christian Faulhammer <fauli@g.o> (02 Sep 2014) |
44 |
# website not working anymore and will stay like this, |
45 |
# tool is useless. See bug 504734 |
46 |
app-admin/hwreport |
47 |
|
48 |
# Ulrich Müller <ulm@g.o> (15 Jul 2014) |
49 |
# Permanently mask sys-libs/lib-compat and its reverse dependencies, |
50 |
# pending multiple security vulnerabilities and QA issues. |
51 |
# See bugs #515926 and #510960. |
52 |
sys-libs/lib-compat |
53 |
sys-libs/lib-compat-loki |
54 |
games-action/mutantstorm-demo |
55 |
games-action/phobiaii |
56 |
games-emulation/handy |
57 |
games-fps/rtcw |
58 |
games-fps/unreal |
59 |
games-strategy/heroes3 |
60 |
games-strategy/heroes3-demo |
61 |
games-strategy/smac |
62 |
sys-block/afacli |
63 |
|
64 |
# Mike Gilbert <floppym@g.o> (13 Jun 2014) |
65 |
# Masked due to security bug 499870. |
66 |
# Please migrate to net-misc/libreswan. |
67 |
# If you are a Gentoo developer, feel free to pick up maintenence of openswan |
68 |
# and remove this mask after resolving the security issue. |
69 |
net-misc/openswan |
70 |
|
71 |
# Mike Gilbert <floppym@g.o> (10 Jun 2014) |
72 |
# Tom Wijsman <TomWij@g.o> (8 Jun 2014) |
73 |
# Mask VLC ebuilds that are affected with security bug CVE-2013-6934: |
74 |
# |
75 |
# A vulnerability has been discovered in VLC Media Player, which can be |
76 |
# exploited by malicious people to compromise a user's system. |
77 |
# |
78 |
# Some ebuilds also have other buffer and integer overflow security bugs like |
79 |
# CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283. |
80 |
# |
81 |
# Users should consider to upgrade VLC Media Player to at least version 2.1.2. |
82 |
<media-video/vlc-2.1.2 |
83 |
|
84 |
# Tom Wijsman <TomWij@g.o> (6 Jun 2014) |
85 |
# Tom Wijsman <TomWij@g.o> (6 Jun 2014) |
86 |
# Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153. |
87 |
# |
88 |
# Pinkie Pie discovered an issue in the futex subsystem that allows a |
89 |
# local user to gain ring 0 control via the futex syscall. An |
90 |
# unprivileged user could use this flaw to crash the kernel (resulting |
91 |
# in denial of service) or for privilege escalation. |
92 |
# |
93 |
# https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153 |
94 |
=sys-kernel/gentoo-sources-3.2.58-r2 |
95 |
~sys-kernel/gentoo-sources-3.4.90 |
96 |
=sys-kernel/gentoo-sources-3.4.91 |
97 |
~sys-kernel/gentoo-sources-3.10.40 |
98 |
=sys-kernel/gentoo-sources-3.10.41 |
99 |
~sys-kernel/gentoo-sources-3.12.20 |
100 |
=sys-kernel/gentoo-sources-3.12.21 |
101 |
~sys-kernel/gentoo-sources-3.14.4 |
102 |
=sys-kernel/gentoo-sources-3.14.5 |
103 |
|
104 |
# Tom Wijsman <TomWij@g.o> (30 May 2014) |
105 |
# CVE-2012-1721 - Remote Code Execution Vulnerability |
106 |
# |
107 |
# Vulnerable: IBM Java SE 5.0 SR12-FP5 |
108 |
# URL: http://www.securityfocus.com/bid/53959/ |
109 |
dev-java/ibm-jdk-bin:1.5 |
110 |
|
111 |
# Alexander Vershilov <qnikst@g.o> (02 Apr 2014) |
112 |
# Multiple vulnerabilities, see #504724, #505860 |
113 |
<sys-kernel/openvz-sources-2.6.32.85.17 |
114 |
|
115 |
# Chí-Thanh Christopher Nguyễn <chithanh@g.o> (26 Mar 2014) |
116 |
# Affected by multiple vulnerabilities, #445916, #471098 and #472280 |
117 |
<media-libs/mesa-9.1.4 |
118 |
|
119 |
# Sergey Popov <pinkbyte@g.o> (20 Mar 2014) |
120 |
# Security mask of vulnerable versions, wrt bug #424167 |
121 |
<net-nds/openldap-2.4.35 |
122 |
|
123 |
# Michael Weber <xmw@g.o> (9 Jul 2013) |
124 |
# Masked for security bug 450746, CVE-2012-6095 |
125 |
<net-ftp/proftpd-1.3.4c |
126 |
|
127 |
# Samuli Suominen <ssuominen@g.o> (30 Oct 2011) |
128 |
# Masked for security bug #294253, use only at your own risk! |
129 |
=media-libs/fmod-3* |
130 |
games-puzzle/candycrisis |
131 |
games-simulation/stoned-bin |
132 |
games-sports/racer-bin |
133 |
games-strategy/dark-oberon |
134 |
games-strategy/savage-bin |
135 |
|
136 |
# Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008) |
137 |
# Masking due to security bug #194607 and security bug #204067 |
138 |
games-fps/doom3 |
139 |
games-fps/doom3-cdoom |
140 |
games-fps/doom3-chextrek |
141 |
games-fps/doom3-data |
142 |
games-fps/doom3-demo |
143 |
games-fps/doom3-ducttape |
144 |
games-fps/doom3-eventhorizon |
145 |
games-fps/doom3-hellcampaign |
146 |
games-fps/doom3-inhell |
147 |
games-fps/doom3-lms |
148 |
games-fps/doom3-mitm |
149 |
games-fps/doom3-phantasm |
150 |
games-fps/doom3-roe |
151 |
games-fps/quake4-bin |
152 |
games-fps/quake4-data |
153 |
games-fps/quake4-demo |
154 |
|
155 |
# Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
156 |
# masked pending unresolved security issues #127167 |
157 |
games-roguelike/slashem |
158 |
|
159 |
# Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
160 |
# masked pending unresolved security issues #125902 |
161 |
games-roguelike/nethack |
162 |
games-util/hearse |
163 |
|
164 |
# <klieber@g.o> (01 Apr 2004) |
165 |
# The following packages contain a remotely-exploitable |
166 |
# security vulnerability and have been hard masked accordingly. |
167 |
# |
168 |
# Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info |
169 |
# |
170 |
games-fps/unreal-tournament-goty |
171 |
games-fps/unreal-tournament-strikeforce |
172 |
games-fps/unreal-tournament-bonuspacks |
173 |
games-fps/aaut |
174 |
|
175 |
Thanks, |
176 |
|
177 |
William |