B0;115;0cOn Thu, Apr 21, 2016 at 06:58:18AM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Apr 20, 2016 at 11:01:29PM +0200, Sebastian Andrzej Siewior wrote:
> > On 2015-03-15 06:42:08 [+0100], Salvatore Bonaccorso wrote:
> > > On Tue, Feb 17, 2015 at 10:07:06AM +0000, Patrick Coleman wrote:
> > > > * Remote null pointer dereference
> > > > A remote user can cause a null pointer dereference by sending a
> > > > malformed Authorization: header.
> > > > http://patrick.ld.net.au/libcsoap/nanohttp-nullp-1.patch
> > >
> > > For this issue CVE-2015-2297 was assigned.
> >
> > What do we do here? That bug is open for slightly over a year with a
> > security tag and zero activity. We had two patches here which do now
> > 404. popcon goes down and it could have something todo with not beeing
> > part of stable. The current binary depends on libssl1.0.0 which has no
> > source, a binNMU would fix it (just tried, that is why I stumbled over
> > it).
> > So we fix this? Do we remove it? In case we want to fix, has someone a
> > copy of the two patches?
>
> Given the package looks unmaintained (last update by maintainer back
> in 20 Jun 2010, I think it is the best option to remove the package as
> well from unstable). It is already gone in testing, so will not be
> included in stretch and neither was in jessie.
Ack, let's remove this.
Cheers,
Moritz
