Package: amavisd-new Version: 1:2.6.4-2 Severity: minor I see this package depends on libcompress-raw-zlib-perl (>= 2.017). However, this seems to be only a precaution to avoid a security vulnerability in earlier upstream versions of Compress::Raw::Zlib. >From amavisd:
# avoid DoS vulnerability in < 2.017 Compress::Raw::Zlib->VERSION(2.017); # required minimal version, or die This vulnerability was clearly CVE-2009-1391, and the fix was backported to the Debian packages. It was fixed in perl/5.10.0-19lenny1, perl/5.10.0-23, libcompress-raw-zlib-perl/2.012-1lenny1, and libcompress-raw-zlib-perl/2.015-2 The dependencies could therefore be relaxed a bit by patching the version check away from amavisd and using perl (>= 5.10.0-23) | libcompress-raw-zlib-perl (>= 2.015-2) However, I can certainly see that this is probably not worth deviating from upstream. What I don't understand is why you're not allowing even perl (>= 5.10.1), which contains Compress::Raw::Zlib 2.020, as an alternative dependency. There's a lintian warning about this (versioned-dependency-satisfied-by-perl) that you're explicitly overriding. What's the rationale? If there's a problem with the versioned-dependency-satisfied-by-perl check, I'd like to know about it. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
