Ubuntu
destar package

Remove from archive.

Bug #432119 reported by Dave Walker
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
destar (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: destar

As indicated on the Pkg-voip-maintainers mailing list [1], upstream is no longer maintaining this application. With this in mind, and some very serious security issues [2], I would like to request it is removed from the archive.

It doesn't have any rdepends.

[1] http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/2009-September/014984.html
[2] Bug #421863

ProblemType: Bug
Architecture: i386
Date: Thu Sep 17 21:45:31 2009
DistroRelease: Ubuntu 9.10
Package: destar (not installed)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-10.34-generic
SourcePackage: destar
Uname: Linux 2.6.31-10-generic i686

Revision history for this message
James Westby (james-w) wrote :

Needs a sponsor ACK first.

Thanks,

James

Revision history for this message
Benjamin Drung (bdrung) wrote :

Upstream is not very active, but is it dead? The last svn commit was 5 month ago. Couldn't the security issue fixed?

Changed in destar (Ubuntu):
status: New → Incomplete
Revision history for this message
Dave Walker (davewalker) wrote :

The last commiter (5 months ago) is one of the more active people in debian-voip. That person hasn't responded to the thread linked above asking for it to be removed.

I am concerned that this vulnerability has been in the wild since 2008-03-24, and upstream hasn't yet responded with a resolution.

I would imagine it would be prudent to remove from the archive until a suitable solution has been found. I do not believe a suitable security fix will be made any time soon from either Ubuntu or Debian developers.

Looking at the linked bug report that I made, there should be no doubt - it is a *VERY* serious security vulnerability.

Additionally, the package is not compatible with the Asterisk currently in the Karmic archives, and i'm not every sure it is compatible with any version other than the one in Dapper.

If the above points are resolved, then surely it could be re-introduced?

Revision history for this message
Benjamin Drung (bdrung) wrote :

Thanks for this explanation. If the security and compatibility issues are resolved, then it can be re-introduced.

Therefore I ACK the remove request.

Changed in destar (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

2009-09-23 10:53:47 INFO creating lockfile
2009-09-23 10:53:51 INFO Removing candidates:
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic amd64
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic armel
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic i386
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic ia64
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic lpia
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic powerpc
2009-09-23 10:53:51 INFO destar 0.2.2-5.2ubuntu1 in karmic sparc
2009-09-23 10:53:51 INFO Removed-by: Colin Watson
2009-09-23 10:53:51 INFO Comment: requested by davewalker; unmaintained upstream, serious security issues (LP: #432119)
2009-09-23 10:53:51 INFO 8 packages successfully removed.
Confirm this transaction? [yes, no] yes
2009-09-23 10:53:58 INFO Transaction committed.
2009-09-23 10:53:58 INFO The archive will be updated in the next publishing cycle.

Changed in destar (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.