From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CCF9C138A1A for ; Wed, 7 Jan 2015 17:48:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3DF29E086C; Wed, 7 Jan 2015 17:48:38 +0000 (UTC) Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com [209.85.214.174]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EA0FBE07E0; Wed, 7 Jan 2015 06:08:16 +0000 (UTC) Received: by mail-ob0-f174.google.com with SMTP id uz6so1730687obc.5; Tue, 06 Jan 2015 22:08:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:reply-to:mail-followup-to :mime-version:content-type:content-disposition:user-agent; bh=UaGiFxrYHtzISZ1MVOIbyyIGrFSOqRdg0Rw7KpPOw6I=; b=gNOWm3kQMccXWRC/d5Npu9NamSLmczkzU3eL+/WuSYZUk8jnFU948ncTca7RUddf41 ZPwMIaYBxN3mr9fwKtifO2mTvk5n7QfvlJlUHoeyyX/o/pp2B6uCtJeBreFys9ujRTLw YsLOKK6w2cWsIlFA5OaR/qirQqXYViH0TMapR+N2hfN9f7nC7sjIQNKHpnZY8zSP9Ru2 WgChr7TN3EM0YC5CgNe19rKgM2s461VkAI8ZwA1H1UwH/mT527kEB2mBf88pEIRlHxSM XJE6syVeFfzlS0AzpsgzMubieVsa3nWJdM/K2Hjqo1qiiQe7FuTfh9WGn58bngjGafZS IHSw== X-Received: by 10.202.210.82 with SMTP id j79mr695019oig.131.1420610896223; Tue, 06 Jan 2015 22:08:16 -0800 (PST) Received: from linux1 (cpe-76-187-91-128.tx.res.rr.com. [76.187.91.128]) by mx.google.com with ESMTPSA id wc6sm498845obc.8.2015.01.06.22.08.14 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Tue, 06 Jan 2015 22:08:14 -0800 (PST) Sender: William Hubbs Received: (nullmailer pid 3664 invoked by uid 1000); Tue, 06 Jan 2015 22:24:42 -0000 Date: Tue, 6 Jan 2015 16:24:42 -0600 From: William Hubbs To: gentoo-dev-announce@lists.gentoo.org Cc: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev-announce] qa last rites -- long list Message-ID: <20150106222442.GA3513@linux1> Reply-To: gentoo-dev@lists.gentoo.org Mail-Followup-To: gentoo-dev-announce@lists.gentoo.org, gentoo-dev@lists.gentoo.org Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo development announcement list X-BeenThere: gentoo-dev-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.5.22 (2013-10-16) X-Archives-Salt: 80d0d1bd-3e11-44a4-a03f-9f4e84f5c051 X-Archives-Hash: 7939d0ec721a113f8ba47a73e3257800 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable All, Many packages have been masked in the tree for months - years with no signs of fixes. I am particularly concerned about packages with known security vulnerabilities staying in the main tree masked. If people want to keep using those packages, I don't want to stop them, but packages like this should be in an overlay, not the main tree. On 28 Jan, I will go through this list again, from oldest to newest, first focusing on packages with known security issues. Any of these that I find still in p.mask or with no fixes but still in the main tree will be removed then. # Patrick Lauer (24 Nov 2014) # Missing deps, uninstallable app-misc/email2trac www-apps/trac-downloads # Jauhien Piatlicki (5 Oct 2014) # Masked because of bug 524390: privilege escalation # until upstream fixes this security issue. # Use at your own risk (04 Sep 2014) # Security mask, wrt bugs #488212, #498164, #500260, # #507802 and #518718 (03 Sep 2= 014) # Markos Chandras (02 Sep 2014) # MSN service terminated. # You can still use your MSN account in net-im/skype # or switch to an open protocol instead # Masked for removal in 30 days net-im/amsn x11-themes/amsn-skins # Christian Faulhammer (02 Sep 2014) # website not working anymore and will stay like this, # tool is useless. See bug 504734 app-admin/hwreport # Ulrich M=C3=BCller (15 Jul 2014) # Permanently mask sys-libs/lib-compat and its reverse dependencies, # pending multiple security vulnerabilities and QA issues. # See bugs #515926 and #510960. sys-libs/lib-compat sys-libs/lib-compat-loki games-action/mutantstorm-demo games-action/phobiaii games-emulation/handy games-fps/rtcw games-fps/unreal games-strategy/heroes3 games-strategy/heroes3-demo games-strategy/smac sys-block/afacli # Mike Gilbert (13 Jun 2014) # Masked due to security bug 499870. # Please migrate to net-misc/libreswan. # If you are a Gentoo developer, feel free to pick up maintenence of opensw= an # and remove this mask after resolving the security issue. net-misc/openswan # Mike Gilbert (10 Jun 2014) # Tom Wijsman (8 Jun 2014) # Mask VLC ebuilds that are affected with security bug CVE-2013-6934: # # A vulnerability has been discovered in VLC Media Player, which can be # exploited by malicious people to compromise a user's system. # # Some ebuilds also have other buffer and integer overflow security bugs li= ke # CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283. # # Users should consider to upgrade VLC Media Player to at least version 2.1= =2E2. (6 Jun 2014) # Tom Wijsman (6 Jun 2014) # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-= 3153. # # Pinkie Pie discovered an issue in the futex subsystem that allows a # local user to gain ring 0 control via the futex syscall. An # unprivileged user could use this flaw to crash the kernel (resulting # in denial of service) or for privilege escalation. # # https://bugs.gentoo.org/show_bug.cgi?id=3DCVE-2014-3153 =3Dsys-kernel/gentoo-sources-3.2.58-r2 ~sys-kernel/gentoo-sources-3.4.90 =3Dsys-kernel/gentoo-sources-3.4.91 ~sys-kernel/gentoo-sources-3.10.40 =3Dsys-kernel/gentoo-sources-3.10.41 ~sys-kernel/gentoo-sources-3.12.20 =3Dsys-kernel/gentoo-sources-3.12.21 ~sys-kernel/gentoo-sources-3.14.4 =3Dsys-kernel/gentoo-sources-3.14.5 # Tom Wijsman (30 May 2014) # CVE-2012-1721 - Remote Code Execution Vulnerability # # Vulnerable: IBM Java SE 5.0 SR12-FP5 # URL: http://www.securityfocus.com/bid/53959/ dev-java/ibm-jdk-bin:1.5 # Alexander Vershilov (02 Apr 2014) # Multiple vulnerabilities, see #504724, #505860 (26 Mar 2= 014) # Affected by multiple vulnerabilities, #445916, #471098 and #472280 (20 Mar 2014) # Security mask of vulnerable versions, wrt bug #424167 (9 Jul 2013) # Masked for security bug 450746, CVE-2012-6095 (30 Oct 2011) # Masked for security bug #294253, use only at your own risk! =3Dmedia-libs/fmod-3* games-puzzle/candycrisis games-simulation/stoned-bin games-sports/racer-bin games-strategy/dark-oberon games-strategy/savage-bin # Chris Gianelloni (03 Mar 2008) # Masking due to security bug #194607 and security bug #204067 games-fps/doom3 games-fps/doom3-cdoom games-fps/doom3-chextrek games-fps/doom3-data games-fps/doom3-demo games-fps/doom3-ducttape games-fps/doom3-eventhorizon games-fps/doom3-hellcampaign games-fps/doom3-inhell games-fps/doom3-lms games-fps/doom3-mitm games-fps/doom3-phantasm games-fps/doom3-roe games-fps/quake4-bin games-fps/quake4-data games-fps/quake4-demo # Tavis Ormandy (21 Mar 2006) # masked pending unresolved security issues #127167 games-roguelike/slashem # Tavis Ormandy (21 Mar 2006) # masked pending unresolved security issues #125902 games-roguelike/nethack games-util/hearse # (01 Apr 2004) # The following packages contain a remotely-exploitable # security vulnerability and have been hard masked accordingly. # # Please see http://bugs.gentoo.org/show_bug.cgi?id=3D44351 for more info # games-fps/unreal-tournament-goty games-fps/unreal-tournament-strikeforce games-fps/unreal-tournament-bonuspacks games-fps/aaut Thanks, William --VbJkn9YxBvnuCH5J Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlSsYKoACgkQblQW9DDEZTi+IQCgn6WiWWUL4OdFLfyOPSLWFjYf l7kAnRbR1n9z+k2BN86t57FFlkncL50i =aDI2 -----END PGP SIGNATURE----- --VbJkn9YxBvnuCH5J--