Hi Salvatore,I am doing some QA overseeeing, I am not the maintainer of i2p. I NMUed it one year and a half ago, nothing has happened since then.
On Sun, 06 Aug 2023 21:26:51 +0200 Salvatore Bonaccorso <car...@debian.org> wrote:
> Source: i2p > Version: 0.9.48-1.1 > Tags: security upstream > Justification: user security hole> X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
> > Hi, > > The following vulnerability was published for i2p. > > CVE-2023-36325[0]: > | Attackers can de-anonymize i2p hidden services with a message replay > | attack > > Should i2p be removed from unstable?- I feel fixing the CVE would require packaging last upstream version (which fixed it), Debian version is far behind it, upstream has changed its build system so a simple NMU is not the solution; - I don't feel the maintainer still has interest into this package, which he has not touched for 3 years; - There is another RC bug #1031817 needing being worked on, upstream has not addressed it yet;
- i2p has not been in a Debian release since buster; - its popcon is quickly decreasing;- there is only one rdep, syndie, with the same maintainer, it has not seen an upload in 4 years and has a near-zero popcon.
I would indeed suggest removing the package and syndie (RoQA) after letting some time to the maintainer to respond. Keeping these two packages in unstable seems only harmful right now.
What do you think? > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-36325 > https://www.cve.org/CVERecord?id=CVE-2023-36325 > [1] https://xeiaso.net/blog/CVE-2023-36325 > > Regards, > Salvatore > > Best, -- Pierre
OpenPGP_signature.asc
Description: OpenPGP digital signature