Bug#1004293: marked as done (warn users that src:khtml is insecure?)

[Debian Bug Tracking System]

Your message dated Fri, 26 Aug 2022 18:32:08 +0000
with message-id <e1ore7k-003zhb...@fasolo.debian.org>
and subject line Bug#1004293: fixed in debian-security-support 1:11+2022.08.23
has caused the Debian Bug report #1004293,
regarding warn users that src:khtml is insecure?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1004293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004293
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debian-security-support
Version: 1:11+2021.03.19
Severity: normal
File: /usr/share/debian-security-support/security-support-limited

As at Debian 11,

  * webkitgtk is in src:webkit2gtk, not src:webkit.
  * khtml is in src:khtml, not src:kde4libs.

GNOME3 and KDE5 have been around for a while now.
I think security-support-limited should be updated to reflect this.

These libraries are used by, for example, yelp and khelpcenter.
This means this fix will make check-security-support whinge at most GUI users,
the way it already does for needrestart users (#986507).

(I think this is a good thing.
There's really no reason yelp and khelpcenter need to JIT compile 
docbook/mallard to HTML and then embed a custom browser engine.
Get rid of them, render the HTML when the .deb is built, and just run the 
user's normal, security-supported browser.)

Note that someone already reported the khtml issue way back in Debian 7 
(#773387), but it was marked as blocked because
(paraphrasing) "KDE4 libraries are a mess and we'd end up with false positives 
for EVERY library in KDE" (#765452).
This is substantially improved in KDE5, and (AFAICT) should no longer block 
"correctly report src:khtml is insecure crap".



-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-0.bpo.2-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debian-security-support depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.77
ii  gettext-base           0.21-4

debian-security-support recommends no packages.

debian-security-support suggests no packages.

-- debconf information:
  debian-security-support/earlyend:
  debian-security-support/ended:
  debian-security-support/limited:

--- End Message ---

--- Begin Message ---

Source: debian-security-support
Source-Version: 1:11+2022.08.23
Done: Holger Levsen <hol...@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-security-support, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <hol...@debian.org> (supplier of updated debian-security-support 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 23 Aug 2022 18:26:34 +0200
Source: debian-security-support
Architecture: source
Version: 1:11+2022.08.23
Distribution: bullseye
Urgency: medium
Maintainer: Holger Levsen <hol...@debian.org>
Changed-By: Holger Levsen <hol...@debian.org>
Closes: 1004293
Changes:
 debian-security-support (1:11+2022.08.23) bullseye; urgency=medium
 .
   * Update security-support-limited from 1:12+2022.08.19 from unstable,
     - add khtml. Closes: #1004293.
     - add openjdk-17 and point to the bullseye release notes (as discussed in
       #975016).
     - for golang, point to the bullseye manual instead the buster one.
     - drop mozjs52 and mozjs60 as they were only present in buster.
     - drop libv8-3.14, mozjs, mozjs24, swftools and webkitgtk as they were
       only present in stretch and earlier.
Checksums-Sha1:
 54c96b95d04de624f7239f803177730385d4f29b 1871 
debian-security-support_11+2022.08.23.dsc
 a99eb292b2e491a22a2456801455699dc3b003c4 30700 
debian-security-support_11+2022.08.23.tar.xz
 cebaa7cfbfdb424dc3372478c5345a365514b698 6942 
debian-security-support_11+2022.08.23_source.buildinfo
Checksums-Sha256:
 1b51f0c82a50ba53aecd1f767d25a3026a2783a5290d556ea215e0b8f48e8d06 1871 
debian-security-support_11+2022.08.23.dsc
 5a838f8849277675704d2fab1389478c5a4364ec7147798418c2cf10be030ddf 30700 
debian-security-support_11+2022.08.23.tar.xz
 2c90fa1c77829bf98dc883c3fe4d2fd591950debb4caa558242cae48480b70a2 6942 
debian-security-support_11+2022.08.23_source.buildinfo
Files:
 5d2d3fba626a8fed500a1f6092988648 1871 admin optional 
debian-security-support_11+2022.08.23.dsc
 5a8c30cfb98a366995c11f10c56bccb4 30700 admin optional 
debian-security-support_11+2022.08.23.tar.xz
 0081024146785cba4caabef4d3bf7a46 6942 admin optional 
debian-security-support_11+2022.08.23_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmMFBOQACgkQCRq4Vgaa
qhwCTxAAlPH2FydXi3xUP8SkYrZWx8Uhk34UgQ9gP3hwLdxm+k+58MB7pR+w91wZ
HgaQMe+soVD9W/ybGtaKKvHFvsxoR6ywryStd+/xjlDnyWLbNulggyKbGETzsQ8d
VH+6CKj1iRTMbbn8jjze5jmBQwJO9uUM6Lm42icBKPAcrYHRfKPDYLY0Ui0sQ8pZ
Rj5hpLgBvQj/MjJn409f8dCXpyWVEMP46ZEJNBsf1DcjL/aIoldoy5N57zTf7lvJ
sYd97wUwrSH7RWE8KAWFLyL4xewuVE3zljhCL9LNMEO8XoXwNAWph/NCR5pXJFKW
zZC5fAuPWIsAbXZ4GLf2NP7eb/TkvT18OvSdATWQOwW+8+0c7Zv4aNgvxrDLr08x
IJoEUtSlNZaV5n3UlUZGvIa/cel0rLggc6FW99AQblHRSCqd1utezGnRQSgtw9JX
IgolRFjSSw4HQ1cZ5dC7qt+YuBLCyLmjEsWqQX/Cc7hCSszaRZiGB7bZyXq5pWFK
xS4ejceUVeqSzUJo4z/FBPtKRbHk/92h/F1RBk9RpXWds3sO931GQD+xJRjuenh9
b8yzePOdfFNetQr9gqeOLGhC5X2SlqX85AUYj8PQwbpYYhh9RQZtRkgeK1dCA2fQ
yz9IpliY6447AMwTEUCZvRfVxnyWIYo8DJeVNEqOjRjnjVORTJs=
=jLyC
-----END PGP SIGNATURE-----

--- End Message ---