Ubuntu
turses package

Please remove python-oauth2 package from Ubuntu repo

Bug #1411176 reported by Jörg Frings-Fürst on 2015-01-15

260

This bug affects 1 person

	Status	Importance	Assigned to
django-oauth-plus (Ubuntu)	Fix Released	Wishlist	Unassigned
indiv-screenlets (Ubuntu)	Invalid	Undecided	Unassigned
python-django-social-auth (Ubuntu)	Fix Released	Wishlist	Unassigned
python-oauth2 (Debian)	Fix Released	Unknown	debbugs #779421
python-oauth2 (Ubuntu)	Fix Released	Wishlist	Unassigned
turses (Ubuntu)	Fix Released	Wishlist	Unassigned

Bug Description

Hello,

please remove the package python-oauth2 from the repositories.

The package has two open CVEs [1][2][3]. Upstream is not longer active.

CU
Jörg

[1] https://bugs.launchpad.net/ubuntu/+source/python-oauth2/+bug/1384815
[2] https://bugs.launchpad.net/bugs/cve/2013-4346
[3] https://bugs.launchpad.net/bugs/cve/2013-4347

Jörg Frings-Fürst (jff-de) on 2015-01-15

affects:

netbeans (Ubuntu) → python-oauth2 (Ubuntu)

Jörg Frings-Fürst (jff-de) on 2015-01-15

information type:	Private Security → Public
information type:	Public → Public Security

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-02-27:

This package is merged/synced with Debian. Please file a bug with Debian to get it removed there first. Thanks.

Changed in python-oauth2 (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Jörg Frings-Fürst (jff-de) wrote on 2015-02-28:

Hi Marc

I have attached the Debian RM bug.

CU
Jörg

Revision history for this message

Jörg Frings-Fürst (jff-de) wrote on 2015-03-01:

Hi Marc,

at debian python-oauth2 is removed from unstable and testing.

CU
Jörg

Bug Watch Updater (bug-watch-updater) on 2015-03-02

Changed in python-oauth2 (Debian):
status:	Unknown → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-03-03:

Thanks for getting it taken care of in debian, subscribing archive admins to get it removed for vivid.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-03-05:

So python-oauth2 has some reverse dependencies:

python-oauth2
Reverse Depends:
  turses
  screenlets-pack-all
  python-django-social-auth
  python-django-oauth-plus

turses was removed from debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779448
python-django-social-auth was removed from debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779447
python-django-oauth-plus was removed from debian in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779446

screenlets-pack-all (srcpkg indiv-screenlets) is an odd duck; it's a separated out package from the screenlets src package and is newer than the debian version of screenlets (which does not recommend python-auth2). The screenlets upstream is dead, having been deprecated by gnome (http://screenlets.org no longer shows anything).

Looking at the indiv-screenlets source, the only Screenlet that makes use of python-oauth2 is the Twitter screenlet. So either we should just drop the screenlets and indiv-screenlets packages entirely, or disable the Twitter screenlet from the indiv-screenlets package so that the dependency on python-oauth2 can be dropped.

Changed in turses (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist
Changed in python-django-social-auth (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist
Changed in django-oauth-plus (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Wishlist

Steve Beattie (sbeattie) on 2015-03-05

Changed in indiv-screenlets (Ubuntu):
status:	New → Confirmed

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-03-05:

When considering what action to take with respect to indiv-screenlets, please note that that the indiv-screenlets package has 83 open bugs and the screenlets package has 113 open.

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-09-22:

Everything except for screenlets-pack-all has been removed from Wily (as synced from Debian unstable). screenlets-pack-all only had a recommends on python-oauth2. Is there another reason to remove it?

Changed in indiv-screenlets (Ubuntu):
status:	Confirmed → Incomplete
Changed in django-oauth-plus (Ubuntu):
status:	Confirmed → Fix Released
Changed in python-django-social-auth (Ubuntu):
status:	Confirmed → Fix Released
Changed in python-oauth2 (Ubuntu):
status:	Confirmed → Fix Released
Changed in turses (Ubuntu):
status:	Confirmed → Triaged
status:	Triaged → Fix Released

Revision history for this message

Bryan Quigley (bryanquigley) wrote on 2015-10-23:

Reviews on screenlets indicate this is still useful to someone in 2014. (3 Stars), closing that task as it's not blocking anything.

Changed in indiv-screenlets (Ubuntu):
status:	Incomplete → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #779421
[done normal] Edit
debbugs #779446
[done normal] Edit
debbugs #779447
[done normal] Edit
debbugs #779448
[done normal] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuturses package

Please remove python-oauth2 package from Ubuntu repo

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
turses package