[Secure-testing-team] Status of unfixed security issues
Andrew Pollock
apollock at debian.org
Tue Apr 5 23:00:57 UTC 2005
On Wed, Apr 06, 2005 at 08:54:34AM +1000, Andrew Pollock wrote:
> On Tue, Apr 05, 2005 at 06:15:45PM -0400, Joey Hess wrote:
> >
> > > openwebmail CAN-2005-0445
> > > - Fixed upstream and no maintainer reaction since six weeks. Given the fact that
> > > another security issue is open for 2.5 months without reaction and 291478
> > > describes the security state of the code as rather poor this package should
> > > be given up for adoption or removed from sid as well. It's currently not part
> > > of Sarge, but there's still about 100 sid users in popcon alone which use the
> > > vulnerable version.
> >
> > You should contact the MIA handling guys for this I think.
> >
>
> openwebmail is already orphaned. I'll be making a QA upload once it hits the
> 14 day mark.
>
> If the attached patch applies, I'll apply it as part of the QA upload.
>
That said, I've read the bug, and apparently the patch doesn't fully address
the issues in the bug. I'm inclined to lean towards reassigning the WNPP bug
to ftp.debian.org and request its removal.
regards
Andrew
More information about the Secure-testing-team
mailing list