Source: libnsbmp Severity: serious Hello,
libnsbmp has not seen a maintainer upload ever since its addition to Debian in 2009. Recently two CVE [1] have been reported against this package and I wonder why we have this package in Debian at all. [1] https://security-tracker.debian.org/tracker/source-package/libnsbmp There are no reverse dependencies, maybe netsurf used this library at some point but that seems to no longer be the case. If you agree with me please clone this bug against ftp.debian.org and retitle it as "RM: libnsbmp -- ROM; unused library package". In the mean time I file this as severity serious so that the package gets dropped from testing given its unmaintained state. Thank you! -- System Information: Debian Release: stretch/sid APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
