/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 7696 by nion,
Sat Dec 22 16:18:49 2007 UTC
+revision 13476 by gilbert-guest,
Mon Dec  7 03:53:45 2009 UTC
 Line 1
  Embedded code copies
  ====================
- This file collects cases, where a source package embeds code from
+ This file collects source packages that embed code from other projects.
- other projects which is considered bad for fixing security flaws
+ This is considered bad for fixing security flaws because the fix needs
- because the fix needs to be applied in multiple source packages.
+ to be applied in multiple source packages.
  Format:
  <srcpkg> (<optional comment about srcpkg>)
          - <embedding srcpkg> <status> (<sort>; bug #<number>)
          NOTE: optional comments about the linkage of the embedding srcpkg
- status: version number fixing the embedded copy, <unfixed> or <unknown> if the version number can not be determined
+ status: version number fixing the embedded copy, <unfixed>, <removed>,
- sort: static/dynamic
+         <itp>, <not-affected>, <unknown> if the version number can not
+         be determined, or <unfixable> for unavoidable cases (e.g., forks
+         that add real value)
+ sort: static (linking statically against a lib)
+       embed (embedding a copy of the library into another source package)
+       fork (the package is not just embedding code but it is a fork and
+             thus might share parts of the source code)
+       old-version (the package is an older version of essentially
+                    the same code)
+ The srcpkg might be some string to identify the code if there is no
+ specific source package.
+ Everything up to the next line is ignored.
+ ---BEGIN
  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
-         - gpdf <unfixed>
+         NOTE: Fixed packages link to poppler library unless otherwise noted
-         NOTE: only present in sarge, has been replaced by evince in etch
+         - pdftohtml <unknown>
-         - pdftohtml <unfixed>
+         [sarge] - pdftohtml <unfixed>
-         NOTE: has been replaced by poppler-utils, only present in sarge/etch
+         [etch] - pdftohtml <unfixed>
-         - kdegraphics <unfixed> (static; bug #436164)
+         NOTE: has been replaced by poppler-utils
-         NOTE: the kpdf replacement in KDE 4 is using poppler
+         - kdegraphics 4:4.2.2-1 (embed; bug #436164)
-         - tetex-bin 3.0-12 (dynamic)
+         - texlive-base 3.0-12 (embed)
-         NOTE: links to poppler
+         - texlive-bin 2007-1 (embed)
-         - texlive-bin <unknown> (dynamic)
-         NOTE: links to poppler
-         - koffice <unfixed> (static; bug #436163)
-         - libextractor 0.5.12-1 (static)
-         NOTE: libextractor is using its own pdf decoder
-         - libextractor 0.5.12-1 (dynamic)
-         NOTE: links to poppler
-         - pdfkit.framework 0.8-4 (dynamic)
          NOTE: links to poppler
-         - ipe <unfixed> (static)
+         - koffice <unfixed> (embed; bug #436163)
+         - libextractor 0.5.12-1 (embed)
+         NOTE: libextractor is using its own pdf decoder now
+         - ipe <unfixed> (embed)
          NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
-         - ruby-gnome2 <unknown> (dynamic)
+         - ruby-gnome2 <unknown> (embed)
          NOTE: copy only present in source but links to poppler
+         - pdfedit <unfixed> (embed; bug #510794)
+         - swftools <unfixed> (embed; bug #551293)
+         - poppler <unfixable> (fork)
+ ppmd
+         - libcomplearn-mod-ppmd <unfixed> (fork)
+         NOTE: discussion in #458152
+ libevent
+         - transmission 1.71-1 (embed; bug #529372)
+ lrmi
+         - read-edid 2.0.0-1 (embed; bug #495131)
+         - s3switch <unfixed> (embed)
+         - xresprobe <unfixed> (embed)
+         - zhcon <unfixed> (embed)
+ peercast
+         - gnome-peercast <removed> (embed)
+         [etch] - gnome-peercast <unfixed> (embed)
+ silc-toolkit
+         - silc-client 1.1~beta6-1 (embed)
+ icclib
+         - ghostscript <unfixed> (embed)
+         - argyll <unfixed> (embed)
+ dietlibc
+         - ccontrol 0.9.1+20071204-1 (static)
+ libmikmod
+         - sdl-mixer1.2 <unfixed> (embed)
+         TODO: report bug
+ libiax
+         - iaxmodem <unfixable> (embed; bug #548885)
+ spandsp
+         - iaxmodem <unfixable> (embed; bug #548885)
+ zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
+         - dpkg <unfixed> (static)
+         NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
+         - rsync <unfixed> (embed)
+         NOTE: somehow derived code base
+         - mono <unfixed> (embed)
+         TODO: check mozilla
+         - Linux kernels <unfixed> (embed)
+         - pvpgn 1.7.8-2 (embed)
+         - mrtg 2.12.2-1 (embed)
+         - rpm <unknown> (embed)
+         NOTE: pinged anibal since when rpm was fixed
+         - tuxcmd-modules <unfixed> (embed)
+         - zsync <unfixed>
+         - tra <unfixed>
+         - sash <unfixed>
+         - nsis <unfixed>
+         - mseide-msegui <unfixed>
+         NOTE: mseide
+         - mirrordir <unfixed>
+         - poco <unfixed>
+         - klibc <unfixed>
+         - ghostscript <unfixed>
+         - freeimage <unfixed>
+         - clamav <unfixed> (fork)
+         NOTE: from the changelog: "libclamav6 does indeed duplicate parts of the zlib code, but there is not way around that"
+         - tuxonice-userui <unfixed>
+         - plt-scheme <unfixed>
+         - perl <unfixed>
+         - paraview <unfixed>
+         - gcvs <unfixed>
+         - dump <unfixed>
+         - aide <unfixed> (static)
+         - dar <unfixed> (static)
+         - avfs <unfixed>
+         - fpc <unfixed>
+         - winff <unfixed>
+         NOTE: inherited from fpc, see #472304
+         - lazarus <unfixed>
+         NOTE: inherited from fpc, see #472304
+         - erlang <unfixed> (embed)
+         - gamera 3.2.3-1 (embed)
+         - python2.4 <unfixed> (embed; bug #553403)
+         - python2.5 <unfixed> (embed; bug #553403)
+ dulwich
+         - hg-git 0.1.0-1 (embed; bug #541996)
+ libvigraimpex
+         - hugin <unfixed> (embed; bug #542259)
+         - enblend-enfuse <unfixed> (embed; bug #542258)
+         - gamera 3.2.3-1 (embed)
+ libbz2
+         - dpkg <unfixed> (static)
+ libgadu
+         - centerim <unfixed> (embed; bug #559783)
+         - pidgin <not-affected> (links dynamically since initial release; fixed in gaim)
+         - gaim 1:2.0.0+beta3-3 (embed; bug #360280)
+         - kdenetwork 4:3.3.2-5 (embed)
+         NOTE: from kdenetwork: kopete
+         - ekg 1:1.8~rc0-1 (embed)
+         - kadu 0.6.0.2-3 (embed; bug #504430)
+         - gadu <itp> (embed)
+ xmlrpc (which package is the "origin" of this code?)
+         - drupal <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
+         - egroupware <unfixed> (embed)
+         - phpwiki <unfixed> (embed)
+         - php4 <unfixed> (embed)
+         TODO: check, php-pear, IIRC this was reorganized some weeks ago?
+ shtool (affects build-time only)
+         - mysql-ocaml <unfixed> (embed)
+         - php4 <unfixed> (embed)
- silc-toolkit:
- silc-client (uses libsilc and libsilcclient)
- dietlibc:
- ccontrol (links statically)
- libiax:
- iaxmodem
- zlib code: (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
- dpkg
- rsync (somehow derived code base)
- mono
- mozilla(?)
- Linux kernels
- pvpgn (links dynamically since 1.7.8-2)
- mrtg (links dynamically since 2.12.2-1)
- rpm
- libbz2:
- dpkg (statically linked)
- libgadu/ekg:
- centericq
- gaim
- pigdin (links dynamically against libgadu)
- kopete (ships the code, but links dynamically in the Debian package)
- kadu (not packaged in Debian)
- GNU gadu (not yet packaged in Debian)
- xmlrpc: (which package is the "origin" of this code?)
- drupal
- phpgroupware
- egroupware
- phpwiki
- php4 (php-pear, IIRC this was reorganized some weeks ago?)
- shtool: (affects build-time only)
- mysql-ocaml
- php4
- mozilla:
- mozilla-firefox
- mozilla-thunderbird
- firefox (to be removed)
- thunderbird (to be removed)
- iceweasel
  iceape
- icedove
+         - iceweasel <unfixed> (fork)
- xulrunner
+         - icedove <unfixed> (fork)
- nvu (no longer in Debian)
+         - xulrunner <unfixed> (fork)
+         - kompozer <unfixed> (embed; bug #532168)
- xli:
+         - galeon <unfixed> (fork)
- xloadimage
+         - epiphany-browser <unfixed> (fork)
+         - conkeror <unfixed> (fork)
- lesstif: (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
+         - kazehakase <unfixed> (fork)
- openmotif
- xfree86/xorg (in libxpm)
+ xli
+         - xloadimage <unfixed> (embed)
- kerberized apps with BSD origin:
- krb4
+ lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
- krb5
+         - openmotif <unfixed> (embed)
- heimdal
+         - libxpm <unfixed> (embed)
- grip: (which pkg is the origin?)
+ kerberized apps with BSD origin
- libcdaudio
+         - krb4 <removed> (embed)
- grip
+         - krb5 <unfixed> (embed)
- gnome-vfs (vfs2 as well?)
+         - heimdal <unfixed> (embed)
- fudforum:
+ grip (which pkg is the origin?)
- phpgroupware-fudforum
+         - libcdaudio <unfixed>
- egroupware-fudforum (removed from egroupware after sarge)
+         - grip <unfixed>
+         - gnome-vfs <unfixed>
- cvs:
+         TODO: check vfs2 as well
- gcvs (at least an additional script is included, check if there's more)
+ fudforum
- pcre:
+         [etch] - phpgroupware <unfixed> (embed)
- all pythons
+         NOTE: phpgroupware-fudforum
- php4 (src included, but Debian package links dynamically)
+         [sarge] - egroupware-fudforum <removed> (embed)
- analog (src included, but Debian package links dynamically)
- libgoffice-1
+ libbsd
- vfu (removed linking against embedded copy in 4.06-4.1; #450754)
+         - rdate 1:1.2-3 (embed)
- tf5 (since 5.0beta7 the Debian package links dynamically)
+         - atheme-services <unfixed>
- monotone (including this starting from 0.37)
+         - libbsd-arc4random-perl <unfixed>
- glib (2.14 series for gregex support, only for udeb, regular packag links dynamic)
+         - isakmpd <unfixed>
- apache2 (since 2.0.53-4 uses 040_link_external_pcre patch)
+         - bsdgames <unfixed> (embed)
- exim4 (since 4.10-0.srh20.12 uses 36_pcre patch to use external pcre)
+         - bsd-mailx <unfixed> (embed)
- yacas (<= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway)
+         - netcat-openbsd <unfixed> (embed; bug #550611)
- gtamsanalyzer.app (links dynamically since 0.42-5)
+         - openssh <unfixed> (embed)
+         - unworkable <unfixed> (embed)
- tiff:
- wxpythongtk (check, which debian pkg this is in)
+ cvs
- older kdegraphics/kpdf releases < 3.3 embedded a copy
+         - gcvs <unfixed> (embed)
+         NOTE: see cvsunix/src in tarball
- uudeview:
- libconvert-uulib-perl
+ pcre3
+         - php4 <unknown> (embed)
- sqlite: (not affected by security vulnerabilities so far)
+         - analog 2:5.23-0woody1 (embed)
- amarok
+         - goffice <unfixed> (embed)
- monotone
+         NOTE: libgoffice-*
- iceweasel
+         - vfu 4.06-4.1 (embed; bug #450754)
+         - tf5 5.0beta7-1 (embed)
- util-linux/mount:
+         - monotone 0.43-1 (embed)
- loop-aes-utils contains code from util-linux' mount in the mount-aes-udeb
+         NOTE: this only affects versions >= 0.37
+         - glib2.0 2.15.2-1 (embed)
- webmin:
+         - apache2 2.0.53-4 (embed)
- usermin (only in sarge)
+         - exim4 4.10-0.srh20.12 (embed)
+         - yacas <unfixed> (embed)
- sylpheed:
+         NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
- sylpheed-claws
+         - gtamsanalyzer.app 0.42-5 (embed)
+         - tin 980117-1 (embed)
- phpsysinfo:
+         - kazehakase 0.5.2-1
- egroupware
+         - webkit 1.0.1-1 (embed)
- phpgroupware
+         - qt4-x11 <unfixed> (embed)
+         NOTE: embedded via webkit copy
- phpldapadmin:
+         - erlang <unfixed> (embed)
- egroupware (removed from egroupware after sarge)
+ tiff
- chmlib:
+         - wxwindows2.4 2.2.1 (embed)
- kchmviewer (ships the code but links dynamically)
+         - gamera 3.2.3-1 (embed)
- libavcodec/libavformat (source: ffmpeg):
+ uudeview
- mplayer (#395252)
+         - libconvert-uulib-perl <unfixed> (embed)
- xvidcap
+         - pan <unfixed> (embed)
- kino (links statically, does not include code)
- vlc (links statically, does not include code)
+ sqlite (not affected by security vulnerabilities so far)
- smilutils (links statically, does not include code)
+         - amarok <unfixed> (embed)
- motion (links statically, does not include code)
+         - monotone 0.43-1 (embed)
- gst-ffmpeg
+         - iceweasel <unfixed> (embed)
- gstreamer0.10-ffmpeg
+         - heimdal <unfixed> (embed; bug #559616)
- xmovie
+ util-linux/mount
+         - loop-aes-utils <unfixed> (embed)
+         NOTE: contains code from util-linux' mount in the mount-aes-udeb
+ sylpheed
+         - sylpheed-claws <unfixed> (fork)
+ phpsysinfo
+         - egroupware <unfixed> (embed)
+         - phpgroupware <unfixed> (embed)
+ phpldapadmin
+         [sarge] - egroupware <unfixed> (embed)
+         NOTE: removed from egroupware after sarge
+ chmlib
+         - kchmviewer <unknown> (embed)
+ ffmpeg (libavcodec/libavformat)
+         - mplayer 1.0~rc2-14 (embed; bug #395252)
+         - kino 1.0.0-1
+         - vlc <not-affected> (Links dynamically since initial release)
+         - smilutils 0.3.0-10
+         NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
+         - motion 3.1.19-1
+         - gstreamer0.10-ffmpeg 0.10.3-2
+         - xmovie <removed> (static)
+         TODO: gimp-gap (potentially using ffmpeg code as well)
+         - avifile 1:0.7.48~20090503.ds-1 (embed; bug #538750)
+         - audacity 1.3.7-2 (embed; bug #512278)
+ faad2
+         - mplayer 1.0~rc2-20 (embed)
+         - avifile <unfixed> (embed; bug #538750)
+         - ffmpeg-debian <removed> (old-version)
+ libmad (MPEG decoding lib)
+         - xine-lib <unfixed> (embed)
+         - avifile 1:0.7.48~20090503.ds-1 (embed) [./plugins/libmad/*]
+         TODO: check ocaml-mad, madplay, pymad, xmms-mad, xmms2
- mad MPEG decoding lib:
- mad
- xine-lib
- libdts:
  libdts
- xine-lib
+         - xine-lib <unfixed> (embed)
- flac:
  flac
- xine-lib
+         - xine-lib <unfixed> (embed)
- liba52:
+ liba52
- a52dec
+         - a52dec <unfixed> (embed)
- xine-lib
+         - xine-lib <unfixed> (embed)
+ libmpeg2
+         - mpeg2dec <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
+ libntlm
+         - wget <unfixed> (fork; bug #550436)
+         - curl <unfixed> (fork; bug #550437)
+         - cntlm <unfixed> (fork; bug #550438)
+ uw-imap
+         - pine <unfixed> (embed)
+         - alpine <unfixed> (embed)
+ imagemagick
+         - graphicsmagick <unfixed> (fork)
+ python-urlgrabber
+         - mercurial <unfixed> (embed; bug #531062)
+         - w3af <unfixed> (embed; bug #555372)
+         [experimental] - harvestman <unfixed> (embed; bug #555373)
+ beautifulsoup
+         - python-mechanize <unfixed> (embed; bug #555349)
+         - zope2.11 <unfixed> (embed; bug #555350)
+         - twill <unknown> (embed)
+ halibut
+         - nsis <unfixed> (fork)
+ libghttp
+         - hotway <unfixed> (embed)
+ libsndfile
+         - ardour 1:2.7.1-1 (embed)
+ glibmm2.4
+         - ardour 1:2.7.1-1 (embed)
+ libgnomecanvasmm2.6
+         - ardour 1:2.7.1-1 (embed)
+ libsigc++-2.0
+         - ardour 1:2.7.1-1 (embed)
+ soundtouch
+         - ardour 1:2.7.1-1 (embed)
+ libmms
+         - xine-lib <unfixed> (embed)
+         - mimms <unfixed> (embed)
+ fckeditor
+         - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
+         - moin 1.8.2-2 (embed; bug #452599)
+         - karrigell <removed> (embed; bug #452598)
+         - gforge 4.6.99+svn6225-1 (embed)
+         - request-tracker3.8 <unfixed> (embed)
+ ipatlas (not packaged in Debian)
+         - moodle <unfixed> (embed; bug #507185)
+ libphp-phpmailer
+         - moodle <unfixed> (embed; bug #507185)
+         - mahara <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         [etch] - phpgroupware <unfixed> (embed)
+         NOTE: phpgroupware-felamimail is only in etch
+         - egroupware <unfixed> (embed; bug #504283)
+         - glpi <unfixed>
+ htmlArea (not packaged in Debian)
+         - moodle <unfixed> (embed)
+ giflib
+         - wine <unfixed> (embed; bug #466181)
+ bennu (not packaged in Debian, http://bennu.sourceforge.net)
+         - moodle <unfixed> (embed)
+ smarty
+         - moodle 1.8.2-2 (embed; bug #471158)
+         - gallery2 2.2.5-2 (embed; bug #471160)
+         - mahara 0.9.2-2 (embed; bug #471201)
+         - gosa 2.4beta1-1 (embed; bug #471200)
- libmpeg2:
+ TinyMCE
- mpeg2dec
+         - wordpress 2.5.1-3 (embed; bug #478257)
- xine-lib
+         - moodle <unfixed> (embed; bug #507185)
+         - knowledgeroot <unfixed> (embed)
- curl:
+         - joomla <itp> (bug #326398)
- wget (code for NTLM authentication)
+ scintilla (upstream provides static lib, rejected shared lib http://sf.net/support/tracker.php?aid=2488121)
- TODO evaluate:
+         - scite <unfixed> (embed)
- gimp-gap (potentially using ffmpeg code as well)
+         - qscintilla <unfixed> (embed)
+         - qscintilla2 <unfixed> (embed)
- uw-imap:
+         - geany <unfixed> (fork)
- pine
+         - anjuta <unfixed> (embed)
- alpine
+ libphp-adodb
- imagemagick:
+         - moodle <unfixed> (embed; bug #507185)
- graphicsmagick
+         NOTE: also AdoDB-XML Schema
+         - gallery2 <unfixed> (embed)
- halibut:
+         - phppgadmin <unfixed> (embed)
- nsis
+         - egroupware <unfixed> (embed)
+         - phpwiki <unfixed> (embed)
- libghttp:
+         - torrentflux 2.0beta1-2 (embed)
- hotway
+         - ipplan <unfixed> (embed)
+         - typo3-src <unfixed> (embed)
- libsndfile:
+         - cacti <unknown> (embed)
- ardour
+         [sarge] - cacti <unfixed> (embed)
+         NOTE: dependency exists, but internal version is used
- glibmm2.4:
+         - gforge 4.7~rc2-6 (embed)
- ardour
+         - mahara <unfixed> (embed)
- libgnomecanvasmm2.6:
+ gzip
- ardour
+         - linux-kernel <unfixed> (embed)
+         NOTE: lib/inflate.c
- libsigc++-2.0:
+         - klibc <unfixed> (embed)
- ardour
+         NOTE: based on linux-kernel gzip code
+         - busybox <unfixed> (embed)
+ neon
+         - cadaver 0.22.3+debian-1 (embed; bug #188381)
+         - gnome-vfs2 <unfixed> (embed; bug #395874)
+         [etch] - litmus <unfixed> (embed; #395875)
+         - litmus <removed> (embed; #395875)
+         [sarge] - screem <unfixed> (embed)
+         - sitecopy 1:0.16.3-5 (embed; bug #395876)
+         [etch] - tla <unfixed> (embed; bug #395877)
+         [sarge] - tla <unfixed> (embed; bug #395877)
+ libmodplug
+         - gst-plugins-bad0.10 <unfixed> (embed)
+ libvncserver
+         - vino <unfixed> (embed)
+ putty
+         - filezilla <unfixed> (embed)
+ tinyxml (not packaged in Debian; itp bug #531968)
+         - filezilla <unfixed>
+         - crystalspace <unfixed> (embed)
+         - libwfut <unfixed> (embed)
+         - rarian <unfixed> (embed)
+         - bulletml <unfixed> (embed)
+         - pokerth <unfixed> (embed)
+         - qutecom <unfixed> (embed)
+         - sofa-framework <unfixed> (embed)
+         - yate <unfixed> (embed)
+         - antigrav <unfixed> (embed)
+         - balder2d <unfixed> (embed)
+         - cal3d <unfixed> (embed)
+         - criticalmass <unfixed> (embed)
+         - ember <unfixed> (embed)
+         - epiphany <unfixed> (embed)
+         - gambit <unfixed> (embed)
+         - noiz2sa <unfixed> (embed)
+         - ogre <unfixed> (embed)
+         - opencity <unfixed> (embed)
+         - openmovieeditor <unfixed> (embed)
+         - pouetchess <unfixed> (embed)
+         - tecnoballz <unfixed> (embed)
+         - trigger-rally <unfixed> (embed)
+         - xmoto <unfixed> (embed)
+         - mapnik <unknown> (embed)
+         NOTE: uses a different XML parser by default
+         - rrootage 0.23a-6 <embed>
+         NOTE: links to libbulltetml
+         - boson <unknown> (embed)
+         NOTE: the embedded code is unused
+ gv
+         - evince <unfixed> (embed)
+         NOTE: ps/ tree from gv 3.5.8
+         NOTE: evince-gtk is affected (a component of evince source package)
+ libXbae
+         - paw <removed> (embed)
+         [etch] - paw <unfixed> (embed)
+ libgtkhtml
+         - claws-mail-extra-plugins <unfixed> (fork)
+ libXaw
+         - paw <removed> (embed)
+         [etch] - paw <unfixed> (embed)
+         NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
+ libgd2
+         - graphviz <unfixed> (embed)
+         NOTE: lib/gd seems to be 2.0.33
+         - wml <unfixed> (embed)
+         - libwmf <unfixed> (embed)
+         NOTE: derived from gd 1.6.3
+ rar
+         - unrar-nonfree <unfixed> (embed)
+ unrar-free (maybe this code is derived from the original rar, too?)
+         - clamav <unfixed> (embed)
+         NOTE: seems to be disabled in default config
+ mplayer (DirectMedia Object loader)
+         - xine-lib <unfixed> (embed)
+         NOTE: src/libw32dll/
+         - vlc <unfixed> (embed)
+         NOTE: modules/codec/dmo/
+         - mplayer 1.0~rc2-20 (embed)
+ libwpd (WordPerfect converter)
+         - openoffice.org <unfixed> (embed)
+ fsplib (http://sourceforge.net/projects/fsp/)
+         - gftp <unfixed> (embed)
+         NOTE: lib/fsplib version 0.3
+ sprng
+         - tree-puzzle <unfixed> (embed)
+ librpcsecgss
+         - krb5 <unfixed> (embed)
+ jasper
+         - ghostscript 8.70~dfsg-2+b1 (embed)
+         - ghostscript <unfixed> (static)
+ libiris
+         - psi <unfixed> (embed)
+         - kdenetwork <unfixed> (embed)
+         NOTE: kopete embeds libiris but links dynamically to libidn
+         - kdegames <unfixed> (embed)
+         NOTE: ksirk/kde4
+ libidn
+         - monotone 0.43-1 (embed)
+         - psi <unfixed> (embed)
+         NOTE: psi embeds libiris which embeds libidn
+         - kdegames <unfixed> (embed)
+         NOTE: kdegames/kde4 embeds libiris which embeds libidn
+ liblua
+         - monotone 0.43-1 (embed)
+         - nmap 5.00-1 (embed; bug #527997)
+         [lenny] - nmap <unfixed> (embed; bug #527997)
+         - ocropus <unfixed> (embed)
+ libbotan
+         - monotone 0.43-1 (embed)
+ NetXX
+         - monotone 0.43-1 (embed)
+ libgc
+         - mono <unfixed> (embed)
+ lzma
+         - p7zip <unfixed> (embed)
+         - xz-utils <unfixed> (fork)
+ lzo
+         - grub2 <unfixed> (embed)
+ yassl
+         - mysql-dfsg-5.0 <unfixed> (embed)
+ pax code
+         - tar <unfixed> (embed)
+         - cpio <unfixed> (embed)
+ t1lib
+         - tetex-bin 2.0.2-1 (embed)
+         - texlive-bin <unknown> (embed)
+ guichan
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ tolua
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+         - ocropus <unfixed> (embed)
+         - freeciv <unfixed> (embed)
- soundtouch:
+ asio-dev
- ardour
+         - luxrender <removed> (embed)
- libmms:
  xine-lib
- mimms
+         - vlc <unfixed> (embed)
+         NOTE: only parts included in modules/access/rtsp
- FCKeditor: (packaged as fckeditor)
+ netpbm
- knowledgeroot
+         - tcl8.3 <unfixed> (embed)
- moin (452599)
+         - tcl8.4 <unfixed> (embed)
- karrigell (452598)
+         - tcl8.5 <unfixed> (embed)
- gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
+         NOTE: generic/tkImgGIF.c
+ tk8.5
+         - tk8.0 <removed> (old-version)
+         - tk8.3 <unfixed> (old-version)
+         - tk8.4 <unfixed> (old-version)
+         - perl-tk <unfixable> (fork)
+ samba
+         - mc 2:4.6.2~git20080311-1 (embed)
+         NOTE: maintainer is aware of this, currently searching a solution
+ plib1.8.4c2
+         - boson <unfixed> (fork)
+         NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
+ fribidi
+         - quesoglc <unfixed> (embed)
+         NOTE: compiled against system fribidi in Debian - embed only used when fribidi is not available on the system
+ glew
+         - quesoglc <unfixed> (embed; bug #489341)
+         NOTE: waiting on GLEW_MX version of glew (see bug #474488)
+         - trigger <unfixed> (embed)
+         NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html
+         - trigger-rally <unfixed> (embed)
+         NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html
+ minorGems (pabs contacted upstream about shared lib, he considers minorGems an 'ever-evolving collection of reusable code fragments' for his own use)
+         - transcend <unfixed> (embed)
+         - cultivation <unfixed> (embed)
+         - passage <unfixed> (embed)
+         - gravitation <unfixed> (embed)
+ tar
+         - libarchive <unfixed> (embed)
+         NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
+ cpio
+         - libarchive <unfixed> (embed)
+         NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
- Moodle contains lots of things:
+ webkit
- AdoDB
+         - qt4-x11 <unfixed> (embed; bug #479851)
- AdoDB-XML Schema
+         - kdelibs <unfixed> (old-version)
- ipatlas
+         - kde4libs <unfixed> (fork)
- PHPMailer
- Smarty
+ ftgl
- htmlArea
+         - blender 2.46+dfsg-1 (embed)
- TinyMCE
- bennu
+ wv
+         - abiword <unfixed>
+ qemu
+         - kvm <unfixed> (embed; bug #543159)
+         - xen-3 <unfixed> (embed)
+         - xen-unstable <unfixed> (embed)
+ vgabios
+         - kvm <unfixed> (embed; bug #489442)
+ bochs
+         - kvm <unfixed> (embed; bug #489442)
+ speex
+         - vorbis-tools <unfixed> (embed)
+         NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
+         - gst-plugins-good0.10 <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
+         - libfishsound <unfixed> (embed)
+         - libannodex <unfixed> (embed)
+         - vlc <unfixed> (embed)
+         - xmms-speex <unfixed> (embed)
+         - libsdl-sound1.2 <unfixed> (embed)
+         - sweep <unfixed> (embed)
+ libreadline
+         - magic <itp> (old-version)
+ opcode
+         - ode <unfixed> (embed)
+         NOTE: opcode is not a package in debian, it is just embedded
+         NOTE: http://www.codercorner.com/Opcode.htm
+ gimpact
+         - ode <unfixed> (embed)
+         NOTE: gimpact is not a package in debian, it is just embedded
+         NOTE: http://gimpact.sf.net
+ mochikit
+         - mahara <unfixed> (embed)
+         NOTE: they require extra patches, still unmerged upstream
+         - ntop <unfixed> (embed)
+         - coherence 0.6.2-1 (embed)
+         - paste <unfixed> (embed)
+         - turbogears <unfixed> (embed)
+         - plone3 <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+         - libjifty-plugin-chart-perl <unfixed> (embed)
+         - sabnzbdplus <unfixed> (embed)
+         - tgmochikit <unfixed> (embed)
+ prototypejs
+         - netbeans-ide 6.0.1+dfsg-2 (embed)
+         - auth2db 0.2.5-2+dfsg-1 (embed; bug #555218)
+         - webcit <unfixed> (embed; bug #555219)
+         - asterisk 1:1.6.2.0~rc3-1 (embed)
+         - libjson-ruby 1.1.4-1 (embed; bug #555224)
+         - lucene2 2.9.1+ds1-2 (embed; bug #555226)
+         - horde3 <unfixed> (embed)
+         - knowledgeroot <unfixed> (embed; bug #555230)
+         - mediatomb <unfixed> (embed; bug #555233)
+         - mt-daapd 0.9~r1696.dfsg-6lenny2 (embed)
+         - ebug-http <unfixed> (embed; bug #555236)
+         - phpgedview <removed> (embed)
+         - poker-network <unfixed> (embed; bug #555238)
+         - rails 2.1.0-6 (embed)
+         - wordpress 2.5.0-2 (embed; bug #555243)
+         - zope <not-affected> (the prototypejs embed is not in any of the obvious zope packages, e.g. zope2.9, zope2.10, zope2.11, and zope3)
+         TODO: search through all of the other zope packages
+         - ampache 3.4.1-2 (embed)
+         - exaile 0.2.14+debian-2.1 (embed; bug #555245)
+         - hobix 0.5~svn20070319-4 (embed; bug #555247)
+         - zabbix 1.6.6-4 (embed; bug #555250)
+         - chora2 <unfixed> (embed; bug #555253)
+         - gollem <unfixed> (embed; bug # 555254)
+         - jscropperui 1.2.1-1 (embed; bug #555257)
+         - scriptaculous <not-affected> (uses system prototype.js since initial upload; bug #555260)
+         - ingo1 <unfixed> (embed; bug #555261)
+         - kronolith2 <unfixed> (embed; bug #555262)
+         - activeldap <unfixed> (embed)
+         - libv8 <not-affected> (contains a google-specific implementation of prototype.js)
+         - mantis <unfixed> (embed; bug #555265)
+         - otrs2 2.3.4-6 (embed; bug #555267)
+         - webcalendar <unfixed> (embed; bug #555269)
+         - redmine 0.9.0~svn2907-1 (embed; bug #555270)
+         - jifty 0.90519-1 (embed; bug #555271)
+         - jquery <unfixed> (embed; bug #555272)
+         - passenger 2.2.5debian1-1 (embed; bug #555273)
+         - plone3 <unfixed> (embed; bug #555275)
+         - wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555277)
+         - libhtml-prototype-perl 1.48-3 (embed; bug #538920)
+         - xulrunner <unfixed> (embed)
+         NOTE: included in iceweasel/xulrunner unit tests directory, so may not be security-relevant
+ gdb
+         - insight <unfixed> (embed)
+ e2fsprogs
+         - ldiskfsprogs <unfixable> (fork)
+ quazip (not packaged in Debian)
+         - qcake <unfixed> (embed)
+         NOTE: starting with upstream version 0.6.4
+ exo
+         - pcmanfm <unfixed> (embed; bug #499677)
+         NOTE: slightly modified source code
+ java
+         - openjdk-6 <unfixed>
+         - sun-java5 <unfixed>
+         - sun-java6 <unfixed>
+ libphp-snoopy
+         - ampache 3.4.1-2 (embed; bug #504169)
+         - gforge 4.6.99+svn6094-2 (embed)
+         - mahara 1.0.5-2 (embed; bug #504170)
+         - pixelpost 1.7.1-5 (embed; bug #504171)
+         - mediamate 0.9.3.6-5 (embed; bug #504172)
+         - opendb <removed> (embed; bug #504173)
+         [etch] - opendb <unfixed> (embed; bug #504173)
+         - wordpress 2.5.1-9 (embed; bug #443948)
+         - moodle <unfixed> (embed; bug #507185)
+         [etch] - phpgroupware <unfixed> (embed)
+         NOTE: phpgroupware-felamimail
+         - magpierss 0.72-3 (embed; bug #431089)
+ jquery
+         - zekr <unfixed> (embed)
+         - wordpress <unknown> (embed)
+         - yocto-reader <unfixed> (embed)
+         - textpattern <unfixed> (embed)
+         - genshi 0.5.1-1 (embed)
+         NOTE: compressed file under examples/ dir
+         - prewikka <unfixed> (embed)
+         - libramaze-ruby <unfixed> (embed)
+         - drupal5 <unfixed> (embed)
+         - b2evolution <unfixed> (embed)
+         - wesnoth <unfixed> (embed)
+ tablesorter (jquery plugin, not packaged yet)
+         - wesnoth <unfixed> (embed)
+ kses
+         - wordpress <unfixed> (embed; bug #504242)
+         NOTE: their copy has all methods renamed to wp_<foo>
+         NOTE: kses isn't in Debian, RFP: #504240
+         - moodle <unfixed> (embed; bug #507185)
+         - egroupware <unfixed> (embed)
+ magpierss
+         - wordpress <unfixed> (embed; bug #504242)
+         - moodle <unfixed>
+ php-gettext
+         - wordpress 2.8.4-1 (embed; bug #504242)
+ libphp-ixr (name may change, it is the Incutio XML-RPC)
+         - wordpress <unfixed> (embed; bug #504242)
+         NOTE: libphp-ixr isn't in Debian, RFP: #504236
+         - dokuwiki <unfixed> (embed)
+         - textpattern <unfixed> (embed)
+ libphp-cas
+         - glpi <unfixed> (embed)
+         - moodle <unfixed> (embed; bug #505984)
+ scriptaculous (prototype.js is among the embeds in the following)
+         - glpi <unfixed> (embed)
+         - libaws <unfixed> (embed; bug #555222)
+         - op-panel <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         NOTE: maintainer says there are extra incompatible changes required
+         - pixelpost 1.7.1-6 (embed)
+         - webhelpers <unfixed> (embed)
+         - qwik <unfixed> (embed; bug #555241)
+         - smokeping <unfixed> (embed)
+         - turba2 <unfixed> (embed)
+         - typo3-src 4.2.3-1 (embed)
+         - request-tracker3.6 <unfixed> (embed)
+         - request-tracker3.8 <unfixed> (embed)
+         - rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package)
+         - wordpress 2.5.0-2 (embed)
+         - libhtml-prototype-perl 1.48-3 (embed)
+ libmarkdown-php
+         - moodle <unfixed> (embed; bug #507185)
+         - pixelpost 1.7.1-6 (embed)
+ php-openid
+         - wordpress-openid <itp> (embed)
+ geshi
+         - dokuwiki 0.0.20080505-3.1 (embed)
+         - pgfouine 1.0-1.1 (embed)
+         - websvn 2.1.0-1 (embed)
+ webcalendar
+         - gforge 4.7~rc2-6 (embed; bug #504758)
+ libical
+         - kdepim <unfixed> (fork)
+         - kdepimlibs <unfixed> (fork)
+         NOTE: fixed in KDE4 post 4.1.x series
+         - claws-mail-extra-plugins <unfixed> (fork)
+ libltdl3
+         - kdelibs <unfixed> (embed)
+         NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it
+         - synfig <unfixed> (embed)
+ harfbuzz
+         - qt4-x11 <unfixed> (embed)
+ libzip
+         - php5 <unfixed> (fork)
+         - odt2txt <unfixed> (embed; bug #523808)
+ json.php (not packaged; should be replaced with php's built-in functions)
+         - moodle <unfixed>
+         - yui <unfixed>
+         - gallery2 <unfixed>
+         - dokuwiki <unfixed>
+         - typo3-src <unfixed>
+ php-fpdf
+         - tcpdf <itp> (fork)
+         - moodle <unfixed>
+         - phpwiki <unfixed>
+         - egroupware <unfixed>
+         - ldap-account-manager <unfixed> (fork)
+ tcpdf (itp: #495985)
+         - moodle <unfixed>
+         - phpmyadmin <unfixed>
- TinyMCE:
- wordpress
- moodle
- knowledgeroot
- joomla (ITP)
- scintilla:
- scite
- qscintilla
- qscintilla2
- geany
- libphp-adodb:
- gallery2
- phppgadmin
- egroupware
- phpwiki
- ipplan
  typo3
- moodle
+         - moodle <unfixed>
- cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
- gzip:
- linux-kernel (lib/inflate.c)
- klibc (based on linux-kernel gzip code)
- busybox
- neon:
- cadaver (all, but being worked on: #188381)
- gnome-vfs2 (#395874)
- litmus (#395875)
- screem (sarge only)
- sitecopy (#395876)
- tla (etch/sid only: #395877)
- libmodplug:
- gst-plugins-bad0.10
- libvncserver:
- vino
- putty:
- filezilla
- tinyxml (not packaged in Debian):
- filezilla
- gv:
- evince (ps/ tree from gv 3.5.8)
- evince-gtk (not packaged in Debian)
- libXbae:
- libpawlib2-lesstif package (from Cernlib)
- libXaw:
- libpawlib2-lesstif package (from Cernlib)
- (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
- libgd2:
+ spreadsheet_writeexcel (PHP port of libspreadsheet-writeexcel-perl; itp: #487557)
- graphviz (lib/gd seems to be 2.0.33)
+         - moodle <unfixed>
+         - gosa <unfixed>
+ php-ole (itp: #487558)
+         - moodle <unfixed>
+ pieforms (http://www.catalyst.net.nz)
+         - mahara <unfixed>
+ savant2 (http://phpsavant.com)
+         - egroupware <unfixed>
+ rssparser (http://nwow.org)
+         - egroupware <unfixed>
+         - phpgroupware <unfixed>
+ lcms
+         - openjdk-6 <unfixed> (fork)
+ libphp-phplayersmenu
+         - diogenes <unfixed>
+         - phpldapadmin <unfixed>
+ libphp-pclzip
+         - docvert <unfixed>
+         - moodle <unfixed>
+         - egroupware <unfixed>
+ libphp-simplepie
+         - dokuwiki <unfixed>
+ libphp-jpgraph
+         - egroupware <unfixed>
+ php-simpletest
+         - moodle <unfixed>
+ libpng
+         - iceweasel <not-affected> (uses xulrunner)
+         - icedove 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1, 2.0.0.19-1 (embed)
+         - iceape 1.0.13~pre080614i-0etch1 (embed)
+         - xulrunner 1.9.0.13-1 (embed)
+         [lenny] - xulrunner 1.9.0.11-0lenny1
+         [etch] - xulrunner 1.8.0.15~pre080614i-0etch1 (embed)
+         - gamera 3.2.3-1 (embed)
+ irssi
+         - silc-client <unfixed> (embed)
+         NOTE: Seems to be a pre-0.8.12 version that is used in irssi-plugin-silc
+ extc
+         - mtasc <unfixed> (embed)
+         - haxe <unfixed> (embed)
+ swflib
+         - mtasc <unfixed> (embed)
+         - haxe <unfixed> (embed)
+ libitext-java
+         - bouncycastle 2.1.4-1 (embed)
+ python-ply
+         - pyke <unfixed> (embed; bug #555363)
+         - pywbem <unfixed> (embed; bug #555364)
+         - sepolgen <unfixed> (embed; bug #555365)
+         - zope-textindexng3 <unknown> (embed)
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unknown> (embed)
+         - wireshark <not-affected> (python-ply modules are not installed into binary packages; see #554613)
+ libdumbnet (libdnet upstream)
+         - nmap <unfixed> (fork)
+ gcc-4.4
+         - gcc-mingw32 <unfixed> (embed)
+ camlimages
+         - advi <unfixed> (static; bug #550441)
+ memcached
+         - memcachedb <unfixed> (embed)
+ yajl
+         - argyll <unfixed> (embed; bug #544223)
+         NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html
+ nusoap
+         - gforge 4.8.2-1 (embed)
+ libept
+         - adept <unfixed> (embed; bug #540649)
+ libvorbis
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
+ cairo
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner 1.8.0.15~pre080614i-0etch1 (embed)
+ liboggz
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
+ liboggplay
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
+ php-net-dnsbl
+         - serendipity <unfixed> (embed)
+ php-onyx-rss
+         - serendipity <unfixed> (embed)
+ php-text-wiki
+         - serendipity <unfixed> (embed)
+ php-xml-rpc
+         - serendipity <unfixed> (embed)
+ polarssl (does not have a shared library)
+         - pdkim <itp> (embed; bug #543150)
+         - xyssl <unfixed> (old-version)
+ pidgin
+         - gaim <removed> (old-version)
+         - qutecom <unfixed> (embed; bug #559785)
+ icu
+         - webkit 1.0.1-1 (embed; bug #547214)
+         - texlive-bin <unfixed> (fork)
+         NOTE: texlive upstream working with icu upstream to merge their changes
+ cyrus-imapd-2.2
+         - kolab-cyrus-imapd <unfixed> (fork)
+         - dovecot 1:1.2.1-1 (embed) [/dovecot-sieve/src/libsieve/*]
+ python-cxx-dev
+         - freecad <unfixed> (embed; bug #547936)
+ libzipios++-dev
+         - freecad <unfixed> (embed; bug #547941)
+ linux-2.6
+         - kvm <unfixed> (embed; bug #549973) [./kernel/*]
+         - linux-kbuild-2.6 <unfixed> (embed; bug #550379) [./kbuild/*]
+         - kernel-source-2.6.8 <removed> (old-version)
+         - kernel-source-2.4.27 <removed> (old-version)
+         - kernel-source-2.4.24 <removed> (old-version)
+         - kernel-source-2.2.25 <removed> (old-version)
+         - kernel-source-2.2.20 <removed> (old-version)
+ libfdt (not yet packaged separately for debian; http://www.jdl.com/software/)
+         - kvm <unfixed> (embed) [./libfdt/*]
+ qweb (not packaged)
+         - ajaxterm <unfixed>
+ opensaml2
+         - opensaml <removed> (old-version)
+ shibboleth-sp2
+         - shibboleth-sp <removed> (old-version)
+ tuxonice-userui
+         - suspend2-userui <removed> (old-version)
+ expat
+         - w3c-libwww <removed> (embed; bug #551941)
+         [etch] - w3c-libwww <unfixed> (embed; bug #551941) [./modules/expat/*]
+         - python-xml <unfixed> (embed; bug #551940) [./extensions/expat/*]
+         - python2.5 <unfixed> (embed; bug #553403) [./Modules/expat/*]
+         - python2.4 <unfixed> (embed; bug #553403)
+         - wxwindows2.4 <removed> (embed)
+         - wxwidgets2.6 <unfixed> (embed)
+         - wxwidgets2.8 <unfixed> (embed)
+         - celementtree <unfixed> (embed)
+         - audacity 1.3.2-1 (embed)
+         - matanza <unfixed> (embed)
+         - tdom <unfixed> (embed)
+         - udunits <unfixed> (embed)
+         - apr-util 1.2 (embed)
+         - ayttm <unfixed> (embed)
+         - cableswig <unfixed> (embed)
+         - cadaver <unfixed> (embed)
+         - cmake <unfixed> (embed)
+         - coin3 <unfixed> (embed)
+         - gdcm <unfixed> (embed)
+         - ghostscript <unfixed> (embed)
+         - grmonitor <unfixed> (embed)
+         - iceape <unfixed> (embed)
+         - insighttoolkit <unfixed> (embed)
+         - libparagui1.1 <unfixed> (embed)
+         - paraview <unfixed> (embed)
+         - poco <unfixed> (embed)
+         - simgear <unfixed> (embed)
+         - sitecopy <unfixed> (embed)
+         - smart 1.0-1 (embed)
+         [etch] - smart <unfixed> (embed)
+         - swish-e <unfixed> (embed)
+         - tla <unfixed> (embed)
+         - vtk <unfixed> (embed)
+         - wbxml2 <unfixed> (embed)
+         - xmlrpc-c <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+         - kompozer <unfixed> (embed)
+         - vxl <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+         - apache2 2.2 (embed)
+         - texlive-bin <unfixed> (embed) [included twice]
+         - vnc4 <unfixed> (embed)
+         - xotcl <unfixed> (embed)
+ xerces-c
+         - xerces-c2 <unfixed> (old-version)
+         - xerces27 <removed> (old-version)
+ md5 (RSA's version; not the gnu version provided by coreutils)
+         - w3c-libwww <removed> (embed; bug #551942)
+         [etch] - w3c-libwww <unfixed> (embed; bug #551942) [./modules/md5/*]
+ enet
+         - sauerbraten <unfixed> (embed; #497194)
+ eglibc
+         - glibc <removed> (old-version)
+ galib
+         - gamera 3.2.3-1 (embed)
+ configobj
+         - bzr <unfixed> (embed; bug #555336)
+         - elisa <unfixed> (embed; bug #555337)
+         - gaupol <unfixed> (embed; bug #555338)
+         - ipython <unfixed> (embed; bug #555339)
+         - pida <unfixed> (embed; bug #555340)
+         - psychopy <unfixed> (embed; bug #555341)
+         - rest2web <unfixed> (embed; bug #555342)
+         - auth2db <unknown> (embed)
+         - dynagen <unknown> (embed)
+         - iceweasel <unknown> (embed)
+         - sabnzbdplus <unknown> (embed)
+         - xulrunner <unknown> (embed)
+         - nipy <not-affected> (part of an example [/examples/neurospin/neurospy/configobj.py], which is not installed into binary packages)
+ python-clientform
+         - bibus <unfixed> (embed; bug #555332)
+         - zope2.10 <unfixed> (embed; bug #555333)
+         - zope2.11 <unfixed> (embed; bug #555334)
+         - python-mechanize <unknown> (embed)
+         - twill <unknown> (embed)
+ python-mechanize
+         - zope2.10 <unfixed> (embed; bug #555337)
+         - zope2.11 <unfixed> (embed; bug #555338)
+         - twill <unknown> (embed; bug #555339)
+ pexpect
+         - duplicity 0.6.06-1 (embed; bug #555361)
+         - hplip <unfixed> (embed; bug #555362)
+         - smart <unfixed> (embed; bug #555363)
+ pyparsing
+         - bauble <unfixed> (embed; bug #555366)
+         - boa-constructor 0.6.1-8 (embed; bug #555367)
+         - calibre <unfixed> (embed; bug #555368)
+         - matplotlib <unfixed> (embed; bug #531024)
+         - zhpy <unfixed> (embed; bug #555370)
+         - polybori <unknown> (embed)
+         - python-whoosh <unknown> (embed)
+         - twill <unknown> (embed)
+         - zope-textindexng3 <unknown> (embed)
+ python-pysqlite2
+         - python2.4 <unfixed> (embed; bug #553403)
+         - python2.5 <unfixed> (embed; bug #553403)
+ celementtree
+         - python2.5 <unfixed> (embed)
+         - smart 1.0-1 (embed)
+         [etch] - smart <unfixed> (embed)
+ elementtree
+         - python2.5 <unfixed> (embed)
+         - bzr <unfixed> (embed; bug #555343)
+         - gedit 2.28.2-1 (embed; bug #555344)
+         - smart 1.0-1 (embed)
+         [etch] - smart <unfixed> (embed)
+         - solfege <unfixed> (embed; bug #555345)
+         - w3af <unfixed> (embed; bug #555346)
+         - python-qt4 <unknown> (embed)
+         - sphinx <unknown> (embed)
+         - python-nltk <itp> (embed)
+ python2.5
+         - python2.4 <unfixed> (old-version)
+         - jython <unfixed> (embed)
+         NOTE: embeds many stdlib modules
+         - python-django <unfixed> (embed; bug #555419)
+         NOTE: embeds stdlib modules: doctest, decimal
+         - gamera 3.2.3-1 (embed)
+         NOTE: embeds stdlib modules: ConfigParser, optparse, sets, textwrap
+         - boa-constructor <unfixed> (embed; bug #555426)
+         NOTE: embeds stdlib modules: ConfigParser, tarfile, zipfile, xmlrpclib
+         - nicotine <unfixed> (embed; bug #555427)
+         NOTE: embeds stdlib modules: ConfigParser
+         - museek+ <unfixed> (embed; bug #555428)
+         NOTE: embeds stdlib modules: ConfigParser
+         - vegastrike-data <unfixed> (embed)
+         NOTE: embeds many stdlib modules
+         - codespeak-lib 1.1.1-1 (embed; bug #555420)
+         NOTE: embeds stdlib modules: doctest, optparse, subprocess, textwrap
+         - config-manager <unfixed> (embed; bug #555423)
+         NOTE: embeds stdlib modules: optparse
+         - jhbuild 2.28.0-1 (embed; bug #555421)
+         NOTE: embeds stdlib modules: optparse, subprocess
+         - smart <unfixed> (embed; bug #555432)
+         NOTE: embeds stdlib modules: optparse
+         - pyprotocols 1.0a.svn20070625-5 (embed; bug #555433)
+         NOTE: embeds stdlib modules: doctest
+         - ruledispatch 0.5a.svn20080510-4 (embed; bug #555434)
+         NOTE: embeds stdlib modules: doctest
+         - distribute <unfixed> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - python-setuptools <unfixed> (embed; bug #555435)
+         NOTE: embeds stdlib modules: doctest
+         - zope.testing <unfixed> (embed; bug #555436)
+         NOTE: embeds stdlib modules: doctest
+         - translate-toolkit <unfixed> (embed; bug #555422)
+         NOTE: embeds stdlib modules: textwrap, contextlib
+         - libtpclient-py <unfixed> (embed; bug #555424)
+         NOTE: embeds stdlib modules: subprocess
+         - grass <unfixed> (embed; bug #555425)
+         NOTE: embeds stdlib modules: subprocess
+         - coherence <unfixed> (embed; bug #555429)
+         NOTE: embeds stdlib modules: uuid
+         - python-django-extensions 0.4.2pre+git200911182050-1 (embed; bug #555430)
+         NOTE: embeds stdlib modules: uuid
+         - setroubleshoot <unfixed> (embed; bug #555431)
+         NOTE: embeds stdlib modules: uuid
+         - linkchecker <unfixed> (embed; bug #555414)
+         NOTE: embeds msgfmt.py script
+         - imdbpy <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - kiwi <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - moin <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: cgitb, difflib, tarfile
+         - plone3 <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - roundup <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: cgitb
+         - rednotebook <unfixed> (embed; bug #555415)
+         NOTE: embeds msgfmt.py script
+         - turbogears <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - elisa <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: uuid
+         - calibre <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: zipfile
+         - mailman <unfixed> (embed; #555416)
+         NOTE: embeds msgfmt.py script
+         - python-docutils <unknown> (embed)
+         NOTE: embeds stdlib modules: optparse, textwrap
+         - python-imaging <unknown> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - python-mechanize <unknown> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - twill <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - zeroc-ice <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - wxwidgets2.8 <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - cycle <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - deluge <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - opendict <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - openerp-client <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - rapidsvn <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - wammu <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - gaphor <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - pida <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - python-formencode <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - duplicity <unfixed> (embed)
+         NOTE: embeds stdlib module: urlparse, tarfile
+         - pygopherd <unfixed> (embed)
+         NOTE: embeds stdlib module: zipfile
+ argparse
+         - twill <unfixed> (embed; bug #555347)
+         - ipython <unfixed> (embed; bug #555348)
+ coherence
+         - elisa <unfixed> (embed; bug #555335)
+ simpletal
+         - plastex <unfixed> (embed; bug #555371)
+ flickrpc (not packaged in Debian, http://burtonini.com/bzr/flickrpc/)
+         - postr <unfixed> (embed)
+         - elisa <unfixed> (embed)
+ simplegeneric (not packaged in Debian, http://pypi.python.org/pypi/simplegeneric)
+         - apertium-tolk <unfixed> (embed)
+         - ipython <unfixed> (embed)
+         - virtaal <unfixed> (embed)
+ distribute
+         - setuptools <removed> (old-version)
+ rails
+         - jruby1.2 <unfixed> (embed) [./bench/rails/*]
+         - libgettext-ruby <unfixed> (embed) [./samples/rails/*]
+         - libopenid-ruby <unfixed> (embed) [./examples/rails_openid/*]
+         - thin <unfixed> (embed) [./spec/rails_app/*]
+         NOTE: this is a subdirectory of examples, which in general is a non-issue, but may
+         NOTE: be dangerous if developers are naively basing their code off of the examples
+         NOTE: prototype.js is among the example files
+ lucene2 (prototype.js is among the embeds in the following)
+         - lucene <unfixed> (old-version)
+         - pylucene <unfixed> (embed)
+         - libpdfbox-java <unfixed> (embed)
+         - libfontbox-java <unfixed> (embed)
+         - libjempbox-java <unfixed> (embed)
+         - solr <unfixed> (embed)
+ unicode-data
+         - syslinux <unfixed> (embed)
+         - camomile <unfixed> (embed)
+         - fribidi <unfixed> (embed)
+         - m17n-db <unfixed> (embed)
+         - sbcl <unfixed> (embed)
+         - heimdal <unfixed> (embed)
+         - icu <unfixed> (embed)
+         - icu4j <unfixed> (embed)
+         - krb5 <unfixed> (embed)
+         - moodle <unfixed> (embed)
+         - openldap <unfixed> (embed)
+         - pike7.6 <unfixed> (embed)
+         - samba <unfixed> (embed)
+         - samba4 <unfixed> (embed)
+         - cmucl <unfixed> (embed)
+         - typo3-src <unfixed> (embed)
+         - mauve <unfixed> (embed)
+         - texlive-bin <unfixed> (embed)
+         - ypsilon <unfixed> (embed)
+         - jeuclid <unfixed> (embed)
+         - charmap.app <unfixed> (embed)
+         - clisp <unfixed> (embed)
+         - gnulib <unfixed> (embed)
+         - opensrs-client <unfixed> (embed)
+         - saxonb <unfixed> (embed)
+         - rails <unfixed> (embed)
+ feedparser
+         - rawdog <unfixed> (embed; bug #383422)
+         - miro <unfixed> (embed; bug #555351)
+         - calibre <unfixed> (embed; bug #555352)
+         - freevo <unfixed> (embed; bug #555353)
+         - pida <unfixed> (embed; bug #555354)
+         - planet-venus <unfixed> (embed; bug #555355)
+         - plone3 <unfixed> (embed; bug #555356)
+         - exaile 0.2.14+debian-1 (embed)
+         - screenlets 0.1.2-3 (embed)
+         NOTE: included twice
+ agg:
+         - matplotlib <unfixed> (embed: bug #377271)
+         - contextfree <unfixed> (embed)
+         NOTE: since 2.2-1 it links statically to system libagg, but still uses the embedded copy
+         - exactimage <unfixed> (embed)
+         - python-enable <unfixed> (embed)
+         - mapnik 0.5.1-3 (embed)
+         NOTE: links statically to agg, but shared library is not available (bug #377271)
+ vtk
+         - paraview <unfixable> (embed; bug #495426)
+ txt2tags
+         - rednotebook <unfixed> (embed)
+ htmltextview (not packaged in Debian, http://www.gnome.org/~gjc/htmltextview.py)
+         - gajim <unfixed> (embed)
+         - emesene <unfixed> (embed)
+         - convirt <unfixed> (embed)
+         - pida <unfixed> (embed)
+         - rednotebook <unfixed> (embed)
+ horde3 (prototype.js is among the embeds in the following)
+         - mnemo2 <unfixed> (embed)
+         - nag2 <unfixed> (embed)
- rar:
+ cimg
- unrar-nonfree
+         - gmic <itp> (embed)
- unrar-free: (maybe this code is derived from the original rar, too?)
+ mootools
- clamav (seems to be disabled in default config)
+         - gmic <itp> (embed)
- mplayer (DirectMedia Object loader):
+ openldap
- xine-lib (src/libw32dll/)
+         - openldap2.3 <removed> (old-version)
- vlc (modules/codec/dmo/)
- libwpd (WordPerfect converter):
+ grub2
- openoffice.org
+         - grub <unfixed> (old-version)
- fsplib (http://sourceforge.net/projects/fsp/):
- gftp (lib/fsplib version 0.3)
- librpcsecgss:
- krb5
- jasper:
- ghostscript
- gs-gpl
- libidn:
- monotone
- liblua:
- monotone
- libbotan:
- montone
- NetXX:
- monotone
- libgc:
+ gnupginterface
- mono
+         - duplicity <unfixed> (embed)
- lzma:
+ python-dateutil
- p7zip
+         - awn-extras-applets <unfixed> (embed)
+         - matplotlib <unknown> (embed)
+ cups
+         - cupsys <removed> (old-version)
+ yui
+         - bcfg2 <not-affected> (present in source but not included in any binary files)
+         - serendipity <unfixed> (embed; bug #557746)
+         - moodle 1.8.2.dfsg-5 (embed)
+         - jifty <unfixed> (embed; bug #557748)
+         - webgui 7.7.26-1 (embed)
+         - loggerhead 1.17-1 (embed)
+ quake3 (vanilla source not packaged in debian)
+         - openarena <unfixable> (fork)
+ quake2 (vanilla source not packaged in debian)
+         - alien-arena <unfixable> (fork)
+         - warsow <unfixable> (fork)
+ libtheora
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed; bug #559276)
+         [etch] - iceape <not-affected> (introduced in iceape 2.0)
+         [lenny] - iceape <not-affected> (introduced in iceape 2.0)
+ dtoa
+         - bfilter <unfixed> (embed)
+         - cacao <unfixed> (embed)
+         - cdrdao <unfixed> (embed)
+         - classpath <unfixed> (embed)
+         - freej <unfixed> (embed)
+         - iceape <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+         - jscoverage <unfixed> (embed)
+         - kde4libs <unfixed> (embed)
+         - kdelibs <unfixed> (embed)
+         - kompozer <unfixed> (embed)
+         - libv8 <unfixed> (embed)
+         - mono <unfixed> (embed)
+         - newlib <unfixed> (embed)
+         - nspr <unfixed> (embed)
+         - php5 <unfixed> (embed)
+         - polyml <unfixed> (embed)
+         - qt4-x11 <unfixed> (embed)
+         - rhino <unfixed> (embed)
+         NOTE: code translated to Java
+         - ruby1.8 <unfixed> (embed)
+         - ruby1.9 <unfixed> (embed)
+         - ruby1.9.1 <unfixed> (embed)
+         - sdd <unfixed> (embed)
+         - sfind <unfixed> (embed)
+         - star <unfixed> (embed)
+         - tinymux <unfixed> (embed)
+         - virtualbox-ose <unfixed> (embed)
+         - webkit <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+ ipc (not packaged in Debian; see http://mozdev.org/pipermail/enigmail/2009-November/011678.html)
+         - firegpg <unfixed> (embed)
+         - enigmail <unfixed> (embed)
+ ptmalloc (not packaged in Debian)
+         - crystalspace <unfixed> (embed)
+         - qt4-x11 <unfixed> (embed)
+ svgalib
+         - usplash <unfixed> (embed)
+ bogl
+         - usplash <unfixed> (embed)
+ taglist
+         - usplash <unfixed> (embed)
+ portaudio
+         - audacity <unfixed> (embed; bug #323711)
+ nyquist
+         - audacity <unfixed> (embed)
+         NOTE: embeds a forked nyquist with support for a shared library
- lzo:
+ vamp-plugin-sdk
- grub2
+         - audacity <unfixed> (embed)
- pax code:
+ wordpress
- tar
+         - libwordpress-xmlrpc-perl <unfixed> (embed) [./xmlrpc.php]
- cpio
- t1lib:
+ php5
- tetex-bin (links to system t1lib since 2.0.2)
+         - php4 <removed> (old-version)
- texlive-bin (links to system t1lib)
+ classpath
+         - libgnucrypto-java <unfixed> (embed; bug #559788)

 Legend:



Removed from v.7696
 


changed lines


 
Added in v.13476
 Legend:



Removed from v.7696
 


changed lines


 
Added in v.13476
-Removed from v.7696
+Added in v.13476

	ViewVC Help
Powered by ViewVC 1.1.5