Gentoo Archives: gentoo-dev

From: William Hubbs <williamh@g.o>
To: gentoo-dev-announce@l.g.o
Cc: gentoo-dev@l.g.o
Subject: [gentoo-dev] qa last rites -- long list
Date: Wed, 07 Jan 2015 06:08:24
Message-Id: 20150106222442.GA3513@linux1
1 All,
2
3 Many packages have been masked in the tree for months - years with no
4 signs of fixes.
5
6 I am particularly concerned about packages with known security
7 vulnerabilities staying in the main tree masked. If people want to keep
8 using those packages, I don't want to stop them, but packages like this
9 should be in an overlay, not the main tree.
10
11 On 28 Jan, I will go through this list again, from oldest to newest,
12 first focusing on packages with known security issues. Any of these that
13 I find still in p.mask or with no fixes but still in the
14 main tree will be removed then.
15
16 # Patrick Lauer <patrick@g.o> (24 Nov 2014)
17 # Missing deps, uninstallable
18 app-misc/email2trac
19 www-apps/trac-downloads
20
21 # Jauhien Piatlicki <jauhien@g.o> (5 Oct 2014)
22 # Masked because of bug 524390: privilege escalation
23 # until upstream fixes this security issue.
24 # Use at your own risk
25 <x11-misc/sddm-0.10.0
26
27 # Sergey Popov <pinkbyte@g.o> (04 Sep 2014)
28 # Security mask, wrt bugs #488212, #498164, #500260,
29 # #507802 and #518718
30 <virtual/mysql-5.5
31 <dev-db/mysql-5.5.39
32 <dev-db/mariadb-5.5.39
33
34 # Chí-Thanh Christopher Nguyễn <chithanh@g.o> (03 Sep 2014)
35 # Markos Chandras <hwoarang@g.o> (02 Sep 2014)
36 # MSN service terminated.
37 # You can still use your MSN account in net-im/skype
38 # or switch to an open protocol instead
39 # Masked for removal in 30 days
40 net-im/amsn
41 x11-themes/amsn-skins
42
43 # Christian Faulhammer <fauli@g.o> (02 Sep 2014)
44 # website not working anymore and will stay like this,
45 # tool is useless. See bug 504734
46 app-admin/hwreport
47
48 # Ulrich Müller <ulm@g.o> (15 Jul 2014)
49 # Permanently mask sys-libs/lib-compat and its reverse dependencies,
50 # pending multiple security vulnerabilities and QA issues.
51 # See bugs #515926 and #510960.
52 sys-libs/lib-compat
53 sys-libs/lib-compat-loki
54 games-action/mutantstorm-demo
55 games-action/phobiaii
56 games-emulation/handy
57 games-fps/rtcw
58 games-fps/unreal
59 games-strategy/heroes3
60 games-strategy/heroes3-demo
61 games-strategy/smac
62 sys-block/afacli
63
64 # Mike Gilbert <floppym@g.o> (13 Jun 2014)
65 # Masked due to security bug 499870.
66 # Please migrate to net-misc/libreswan.
67 # If you are a Gentoo developer, feel free to pick up maintenence of openswan
68 # and remove this mask after resolving the security issue.
69 net-misc/openswan
70
71 # Mike Gilbert <floppym@g.o> (10 Jun 2014)
72 # Tom Wijsman <TomWij@g.o> (8 Jun 2014)
73 # Mask VLC ebuilds that are affected with security bug CVE-2013-6934:
74 #
75 # A vulnerability has been discovered in VLC Media Player, which can be
76 # exploited by malicious people to compromise a user's system.
77 #
78 # Some ebuilds also have other buffer and integer overflow security bugs like
79 # CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283.
80 #
81 # Users should consider to upgrade VLC Media Player to at least version 2.1.2.
82 <media-video/vlc-2.1.2
83
84 # Tom Wijsman <TomWij@g.o> (6 Jun 2014)
85 # Tom Wijsman <TomWij@g.o> (6 Jun 2014)
86 # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
87 #
88 # Pinkie Pie discovered an issue in the futex subsystem that allows a
89 # local user to gain ring 0 control via the futex syscall. An
90 # unprivileged user could use this flaw to crash the kernel (resulting
91 # in denial of service) or for privilege escalation.
92 #
93 # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
94 =sys-kernel/gentoo-sources-3.2.58-r2
95 ~sys-kernel/gentoo-sources-3.4.90
96 =sys-kernel/gentoo-sources-3.4.91
97 ~sys-kernel/gentoo-sources-3.10.40
98 =sys-kernel/gentoo-sources-3.10.41
99 ~sys-kernel/gentoo-sources-3.12.20
100 =sys-kernel/gentoo-sources-3.12.21
101 ~sys-kernel/gentoo-sources-3.14.4
102 =sys-kernel/gentoo-sources-3.14.5
103
104 # Tom Wijsman <TomWij@g.o> (30 May 2014)
105 # CVE-2012-1721 - Remote Code Execution Vulnerability
106 #
107 # Vulnerable: IBM Java SE 5.0 SR12-FP5
108 # URL: http://www.securityfocus.com/bid/53959/
109 dev-java/ibm-jdk-bin:1.5
110
111 # Alexander Vershilov <qnikst@g.o> (02 Apr 2014)
112 # Multiple vulnerabilities, see #504724, #505860
113 <sys-kernel/openvz-sources-2.6.32.85.17
114
115 # Chí-Thanh Christopher Nguyễn <chithanh@g.o> (26 Mar 2014)
116 # Affected by multiple vulnerabilities, #445916, #471098 and #472280
117 <media-libs/mesa-9.1.4
118
119 # Sergey Popov <pinkbyte@g.o> (20 Mar 2014)
120 # Security mask of vulnerable versions, wrt bug #424167
121 <net-nds/openldap-2.4.35
122
123 # Michael Weber <xmw@g.o> (9 Jul 2013)
124 # Masked for security bug 450746, CVE-2012-6095
125 <net-ftp/proftpd-1.3.4c
126
127 # Samuli Suominen <ssuominen@g.o> (30 Oct 2011)
128 # Masked for security bug #294253, use only at your own risk!
129 =media-libs/fmod-3*
130 games-puzzle/candycrisis
131 games-simulation/stoned-bin
132 games-sports/racer-bin
133 games-strategy/dark-oberon
134 games-strategy/savage-bin
135
136 # Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008)
137 # Masking due to security bug #194607 and security bug #204067
138 games-fps/doom3
139 games-fps/doom3-cdoom
140 games-fps/doom3-chextrek
141 games-fps/doom3-data
142 games-fps/doom3-demo
143 games-fps/doom3-ducttape
144 games-fps/doom3-eventhorizon
145 games-fps/doom3-hellcampaign
146 games-fps/doom3-inhell
147 games-fps/doom3-lms
148 games-fps/doom3-mitm
149 games-fps/doom3-phantasm
150 games-fps/doom3-roe
151 games-fps/quake4-bin
152 games-fps/quake4-data
153 games-fps/quake4-demo
154
155 # Tavis Ormandy <taviso@g.o> (21 Mar 2006)
156 # masked pending unresolved security issues #127167
157 games-roguelike/slashem
158
159 # Tavis Ormandy <taviso@g.o> (21 Mar 2006)
160 # masked pending unresolved security issues #125902
161 games-roguelike/nethack
162 games-util/hearse
163
164 # <klieber@g.o> (01 Apr 2004)
165 # The following packages contain a remotely-exploitable
166 # security vulnerability and have been hard masked accordingly.
167 #
168 # Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info
169 #
170 games-fps/unreal-tournament-goty
171 games-fps/unreal-tournament-strikeforce
172 games-fps/unreal-tournament-bonuspacks
173 games-fps/aaut
174
175 Thanks,
176
177 William

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] qa last rites -- long list Patrick Lauer <patrick@g.o>
Re: [gentoo-dev] qa last rites -- long list Philip Webb <purslow@××××××××.net>