[Secure-testing-team] Bug#830294: trn is insecure, and unsuitable for use with untrusted data
Matthew Vernon
matthew at debian.org
Thu Jul 7 22:19:53 UTC 2016
Package: trn
Version: 3.6-24
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
I am the maintainer for trn, and have seen evidence that it's not safe
to use with untrusted input (e.g. usenet).
Further, I've asked and no-one wants to work on its rather elderly
code-base, whereas trn4 still gets at least some love.
So, we should remove trn3; I'll file more bugs about that in due course.
Regards,
Matthew
-- System Information:
Debian Release: 7.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages trn depends on:
ii debconf 1.5.49
ii inn2-inews [inews] 2.5.3-3
ii libc6 2.13-38+deb7u11
ii libncurses5 5.9-10
ii libtinfo5 5.9-10
Versions of packages trn recommends:
ii exim4-daemon-heavy [mail-transport-agent] 4.80-7+deb7u3
Versions of packages trn suggests:
ii ispell 3.3.02-6
-- debconf information:
shared/news/server:
More information about the Secure-testing-team
mailing list