2011-05-12 07:23:39 |
Steve Langasek |
bug |
|
|
added bug |
2011-05-12 07:23:52 |
Steve Langasek |
libtirpc (Ubuntu): status |
New |
Incomplete |
|
2011-05-12 07:23:52 |
Steve Langasek |
libtirpc (Ubuntu): assignee |
|
Stéphane Graber (stgraber) |
|
2011-05-12 07:24:55 |
Steve Langasek |
bug task added |
|
rpcbind (Ubuntu) |
|
2011-05-12 07:25:08 |
Steve Langasek |
rpcbind (Ubuntu): status |
New |
Incomplete |
|
2011-05-12 07:25:08 |
Steve Langasek |
rpcbind (Ubuntu): assignee |
|
Stéphane Graber (stgraber) |
|
2011-05-12 07:26:00 |
Steve Langasek |
libtirpc (Ubuntu): importance |
Undecided |
High |
|
2011-05-12 07:26:01 |
Steve Langasek |
rpcbind (Ubuntu): importance |
Undecided |
High |
|
2011-05-12 07:26:08 |
Steve Langasek |
nominated for series |
|
Ubuntu Oneiric |
|
2011-05-12 07:26:08 |
Steve Langasek |
bug task added |
|
libtirpc (Ubuntu Oneiric) |
|
2011-05-12 07:26:08 |
Steve Langasek |
bug task added |
|
rpcbind (Ubuntu Oneiric) |
|
2011-05-12 07:38:37 |
Steve Langasek |
bug |
|
|
added subscriber MIR approval team |
2011-05-19 00:53:30 |
Patrick Hetu |
bug |
|
|
added subscriber Patrick Hetu |
2011-05-24 14:02:53 |
Stéphane Graber |
description |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review. |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.
== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Build-depends on universe package "libgss-dev" which seems useless and should be dropped
*** A rebuild without the build-depend worked fine
*** Output of ldd is identical
*** Output of strings is identical |
|
2011-05-25 14:09:08 |
Stéphane Graber |
description |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.
== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Build-depends on universe package "libgss-dev" which seems useless and should be dropped
*** A rebuild without the build-depend worked fine
*** Output of ldd is identical
*** Output of strings is identical |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.
Please do not process this MIR until we have a new libtirpc in Debian dropping the build-dep on libgss-dev.
== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Currently Build-depends on universe package "libgss-dev" but isn't necessary. Next Debian upload will drop it.
== rpcbind ==
* Availability: Package is in universe, synced from Debian.
* Rationale: Replacement of portmap as a nfs-utils build-depend required for IPv6 support.
* Security:
** No CVE that seem to target the current code base: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** No secunia advisories: http://secunia.com/search/?search=rpcbind
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: /sbin/rpcbind (the daemon) and /usr/sbin/rpcinfo (a client)
** Daemons: rpcbind (sysvinit script, probably to be converted to upstart similar to what was done for portmap)
* QA:
** No debconf question, one config file in /etc (/etc/insserv.conf.d/rpcbind) but no user changes required
** No critical bugs in Ubuntu: https://launchpad.net/ubuntu/+source/rpcbind/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=rpcbind
** Package is maintained in Debian, last upload in March.
** Depends and build-depends on libtirpc (see MIR above) |
|
2011-05-25 15:01:47 |
Steve Langasek |
libtirpc (Ubuntu Oneiric): status |
Incomplete |
New |
|
2011-05-25 15:01:48 |
Steve Langasek |
rpcbind (Ubuntu Oneiric): status |
Incomplete |
New |
|
2011-05-30 13:03:48 |
Stéphane Graber |
libtirpc (Ubuntu Oneiric): assignee |
Stéphane Graber (stgraber) |
|
|
2011-05-30 13:03:50 |
Stéphane Graber |
rpcbind (Ubuntu Oneiric): assignee |
Stéphane Graber (stgraber) |
|
|
2011-05-30 14:18:40 |
Matthias Klose |
libtirpc (Ubuntu Oneiric): assignee |
|
Canonical Security Team (canonical-security) |
|
2011-05-30 14:19:07 |
Matthias Klose |
rpcbind (Ubuntu Oneiric): assignee |
|
Ubuntu Security Team (ubuntu-security) |
|
2011-05-30 14:19:19 |
Matthias Klose |
libtirpc (Ubuntu Oneiric): assignee |
Canonical Security Team (canonical-security) |
Ubuntu Security Team (ubuntu-security) |
|
2011-06-24 15:58:00 |
Steve Langasek |
description |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.
Please do not process this MIR until we have a new libtirpc in Debian dropping the build-dep on libgss-dev.
== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Currently Build-depends on universe package "libgss-dev" but isn't necessary. Next Debian upload will drop it.
== rpcbind ==
* Availability: Package is in universe, synced from Debian.
* Rationale: Replacement of portmap as a nfs-utils build-depend required for IPv6 support.
* Security:
** No CVE that seem to target the current code base: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** No secunia advisories: http://secunia.com/search/?search=rpcbind
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: /sbin/rpcbind (the daemon) and /usr/sbin/rpcinfo (a client)
** Daemons: rpcbind (sysvinit script, probably to be converted to upstart similar to what was done for portmap)
* QA:
** No debconf question, one config file in /etc (/etc/insserv.conf.d/rpcbind) but no user changes required
** No critical bugs in Ubuntu: https://launchpad.net/ubuntu/+source/rpcbind/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=rpcbind
** Package is maintained in Debian, last upload in March.
** Depends and build-depends on libtirpc (see MIR above) |
The new nfs-utils in Debian adds dependencies on libtirpc and rpcbind for IPv6. One is a network-sensitive library and the other is a network server, so I guess we'll want some careful review.
== libtirpc ==
* Availability: Package is in universe, synced from Debian
* Rationale: Dependency of rpcbind which is required for IPv6 support
* Security:
** No CVE: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** 2 old (2008) secunia advisories: http://secunia.com/advisories/product/17898/?task=advisories (fixed by upstream)
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: none
** Daemons: none
* QA:
** Just a library with two binary packages (one for the lib and one -dev), no debconf question or configuration.
** No bug in Ubuntu: https://launchpad.net/ubuntu/+source/libtirpc/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=libtirpc
** Package is maintained in Debian though not very active (last upload in December, moved to testing in February)
** Currently Build-depends on universe package "libgss-dev" but isn't necessary. Next Debian upload will drop it.
== rpcbind ==
* Availability: Package is in universe, synced from Debian.
* Rationale: Replacement of portmap as a nfs-utils build-depend required for IPv6 support.
* Security:
** No CVE that seem to target the current code base: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tirpc
** No secunia advisories: http://secunia.com/search/?search=rpcbind
** Ubuntu CVE tracker: none
** SUID/SGID binaries: none
** Executables in sbin: /sbin/rpcbind (the daemon) and /usr/sbin/rpcinfo (a client)
** Daemons: rpcbind (sysvinit script, probably to be converted to upstart similar to what was done for portmap)
* QA:
** No debconf question, one config file in /etc (/etc/insserv.conf.d/rpcbind) but no user changes required
** No critical bugs in Ubuntu: https://launchpad.net/ubuntu/+source/rpcbind/+bugs
** No critical bugs in Debian: http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=rpcbind
** Package is maintained in Debian, last upload in March.
** Depends and build-depends on libtirpc (see MIR above) |
|
2011-06-27 21:49:00 |
Kees Cook |
libtirpc (Ubuntu Oneiric): status |
New |
In Progress |
|
2011-06-27 21:49:05 |
Kees Cook |
libtirpc (Ubuntu Oneiric): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2011-07-24 05:25:51 |
Steve Langasek |
libtirpc (Ubuntu Oneiric): status |
In Progress |
Fix Released |
|
2011-07-27 21:52:42 |
Kees Cook |
rpcbind (Ubuntu Oneiric): status |
New |
In Progress |
|
2011-07-27 21:52:44 |
Kees Cook |
rpcbind (Ubuntu Oneiric): assignee |
Ubuntu Security Team (ubuntu-security) |
|
|
2011-07-28 18:24:30 |
Steve Langasek |
rpcbind (Ubuntu Oneiric): status |
In Progress |
Fix Released |
|