/[secure-testing]/data/embedded-code-copies

Diff of /data/embedded-code-copies

Parent Directory | Revision Log | View Patch Patch

-revision 7830 by nion,
Fri Jan  4 18:01:23 2008 UTC
+revision 13712 by geissert,
Mon Jan  4 23:43:03 2010 UTC
 Line 1
  Embedded code copies
  ====================
- This file collects cases, where a source package embeds code from
+ This file collects source packages that embed code from other projects.
- other projects which is considered bad for fixing security flaws
+ This is considered bad for fixing security flaws because the fix needs
- because the fix needs to be applied in multiple source packages.
+ to be applied in multiple source packages.
  Format:
  <srcpkg> (<optional comment about srcpkg>)
          - <embedding srcpkg> <status> (<sort>; bug #<number>)
          NOTE: optional comments about the linkage of the embedding srcpkg
- status: version number fixing the embedded copy, <unfixed>, <removed> or <unknown> if the version number can not be determined
+ status: version number fixing the embedded copy, <unfixed>, <removed>,
+         <itp>, <not-affected>, <unknown> if the version number can not
+         be determined, or <unfixable> for unavoidable cases (e.g., forks
+         that add real value)
  sort: static (linking statically against a lib)
-       embed (embedding a copy of the library into another source package)
+       embed (embeds a copy of the library into another source package)
-       fork (the package is not just embedding code but it is a fork and thus might share parts of the source code)
+       modified-embed (embeds a code copy that differs from upstream code)
+       fork (a full-blown fork of another source package)
+       old-version (an older version of essentially the same code)
- The srcpkg might be some string to identify the code if there is no specific source package.
+ The srcpkg might be some string to identify the code if there is no
+ specific source package.
+ Everything up to the next line is ignored.
+ ---BEGIN
  xpdf (some srcpkgs use xpdf2 code, some xpdf3 code)
          NOTE: Fixed packages link to poppler library unless otherwise noted
-         - gpdf <removed>
-         [sarge] - gpdf <unfixed>
-         NOTE: has been replaced by evince in etch
          - pdftohtml <unknown>
          [sarge] - pdftohtml <unfixed>
          [etch] - pdftohtml <unfixed>
          NOTE: has been replaced by poppler-utils
-         - kdegraphics <unfixed> (embed; bug #436164)
+         - kdegraphics 4:4.2.2-1 (embed; bug #436164)
-         NOTE: the kpdf replacement in KDE 4 is using poppler
+         - texlive-base 3.0-12 (embed)
-         - tetex-bin 3.0-12 (embed)
          - texlive-bin 2007-1 (embed)
          NOTE: links to poppler
          - koffice <unfixed> (embed; bug #436163)
          - libextractor 0.5.12-1 (embed)
          NOTE: libextractor is using its own pdf decoder now
-         - libextractor 0.5.12-1 (embed)
-         - pdfkit.framework 0.8-4 (embed)
          - ipe <unfixed> (embed)
          NOTE: embeds small parts with renamed source files: ipestdfonts.cpp, ipefonts.cpp, ipedct.cpp
          - ruby-gnome2 <unknown> (embed)
          NOTE: copy only present in source but links to poppler
+         - pdfedit <unfixed> (embed; bug #510794)
+         - swftools <unfixed> (embed; bug #551293)
+         - poppler <unfixable> (fork)
  ppmd
-         - libcomplearn-mod-ppmd <unfixed> (embed; bug #458152)
+         - libcomplearn-mod-ppmd <unfixed> (fork)
+         NOTE: discussion in #458152
+ libevent
+         - transmission 1.71-1 (embed; bug #529372)
+ lrmi
+         - read-edid 2.0.0-1 (embed; bug #495131)
+         - s3switch <unfixed> (embed)
+         - xresprobe <unfixed> (embed)
+         - zhcon <unfixed> (embed)
+ peercast
+         - gnome-peercast <removed> (embed)
+         [etch] - gnome-peercast <unfixed> (embed)
  silc-toolkit
          - silc-client 1.1~beta6-1 (embed)
+ icclib
+         - ghostscript <unfixed> (embed)
+         - argyll <unfixed> (embed)
  dietlibc
          - ccontrol 0.9.1+20071204-1 (static)
+ libmikmod
+         - sdl-mixer1.2 <unfixed> (embed)
+         TODO: report bug
  libiax
-         - iaxmodem <unfixed> (embed)
+         - iaxmodem <unfixable> (embed; bug #548885)
+ spandsp
+         - iaxmodem <unfixable> (embed; bug #548885)
  zlib (lots of apps embed a copy, but link dynamically, but there are a few exceptions)
-         - dpkg <unfixed> (embed)
+         - dpkg <unfixed> (static)
          NOTE: see 18196.48620.491996.624772@davenant.relativity.greenend.org.uk on debian-devel for discussion
          - rsync <unfixed> (embed)
          NOTE: somehow derived code base
-Line 64 
 zlib (lots of apps embed a copy, but lin
+Line 94 
 zlib (lots of apps embed a copy, but lin
          - pvpgn 1.7.8-2 (embed)
          - mrtg 2.12.2-1 (embed)
          - rpm <unknown> (embed)
-         NOTE: pinged joeyh since when rpm was fixed
+         NOTE: pinged anibal since when rpm was fixed
+         - tuxcmd-modules <unfixed> (embed)
+         - zsync <unfixed>
+         - tra <unfixed>
+         - sash <unfixed>
+         - nsis <unfixed>
+         - mseide-msegui <unfixed>
+         NOTE: mseide
+         - mirrordir <unfixed>
+         - poco <unfixed>
+         - klibc <unfixed>
+         - ghostscript <unfixed>
+         - freeimage <unfixed>
+         - clamav <unfixed> (fork)
+         NOTE: from the changelog: "libclamav6 does indeed duplicate parts of the zlib code, but there is not way around that"
+         - tuxonice-userui <unfixed>
+         - plt-scheme <unfixed>
+         - perl <unfixed>
+         - paraview <unfixed>
+         - gcvs <unfixed>
+         - dump <unfixed>
+         - aide <unfixed> (static)
+         - dar <unfixed> (static)
+         - avfs <unfixed>
+         - fpc <unfixed>
+         - winff <unfixed>
+         NOTE: inherited from fpc, see #472304
+         - lazarus <unfixed>
+         NOTE: inherited from fpc, see #472304
+         - erlang <unfixed> (embed)
+         - gamera 3.2.3-1 (embed)
+         - python2.4 <unfixed> (embed; bug #553403)
+         - python2.5 <unfixed> (embed; bug #553403)
+ dulwich
+         - hg-git 0.1.0-1 (embed; bug #541996)
+ libvigraimpex
+         - hugin <unfixed> (embed; bug #542259)
+         - enblend-enfuse <unfixed> (embed; bug #542258)
+         - gamera 3.2.3-1 (embed)
  libbz2
          - dpkg <unfixed> (static)
- ekg
+ libgadu
-         - centericq <unfixed> (embed)
+         - centerim <unfixed> (embed; bug #559783)
-         - gaim <unfixed> (embed)
+         - pidgin <not-affected> (links dynamically since initial release; fixed in gaim)
-         - pigdin <unfixed> (embed)(links dynamically against libgadu)
+         - gaim 1:2.0.0+beta3-3 (embed; bug #360280)
-         - kopete 4:3.3.2-5 (embed)
+         - kdenetwork 4:3.3.2-5 (embed)
-         - kadu <unfixed> (embed)
+         NOTE: from kdenetwork: kopete
-         - gadu <unfixed> (embed)
+         - ekg 1:1.8~rc0-1 (embed)
-         NOTE: g/kadu not packaged in Debian yet
+         - kadu 0.6.0.2-3 (embed; bug #504430)
+         - gadu <itp> (embed)
  xmlrpc (which package is the "origin" of this code?)
          - drupal <unfixed> (embed)
          - phpgroupware <unfixed> (embed)
          - egroupware <unfixed> (embed)
-         - phpwiki (embed)
+         - phpwiki <unfixed> (embed)
          - php4 <unfixed> (embed)
          TODO: check, php-pear, IIRC this was reorganized some weeks ago?
-Line 90 
 shtool (affects build-time only)
+Line 161 
 shtool (affects build-time only)
          - mysql-ocaml <unfixed> (embed)
          - php4 <unfixed> (embed)
- mozilla source code
+ xulrunner
-         - mozilla-firefox <unfixed> (embed)
+         - iceape <unfixed> (embed; bug #561749)
-         - mozilla-thunderbird
+         - iceweasel 2.0.0.19 (embed)
-         - firefox <removed>
+         - icedove <unfixed> (embed; bug #561750)
-         [etch] - firefox <unfixed> (embed)
+         - kompozer <unfixed> (embed; bug #532168)
-         - thunderbird <removed>
+         - galeon 2.0.2-4 (embed)
-         [etch] - thunderbird <unfixed> (embed)
+         - epiphany-browser 2.14.3-8 (embed)
-         - iceweasel <unfixed> (embed)
+         - conkeror 0.9~git080629-2 (embed)
-         - iceape <unfixed> (embed)
+         - kazehakase 0.4.2-1 (embed)
-         - icedove <unfixed> (embed)
-         - xulrunner <unfixed> (embed)
-         - nvu <removed> (embed)
  xli
          - xloadimage <unfixed> (embed)
  lesstif (beware: two different lesstif APIs supported in one package, MOTIF 1.2 discarded upstream)
          - openmotif <unfixed> (embed)
-         - xfree86/xorg <unfixed> (embed)
+         - libxpm <unfixed> (embed)
-         NOTE: in libxpm
  kerberized apps with BSD origin
-         - krb4 <unfixed> (embed)
+         - krb4 <removed> (embed)
          - krb5 <unfixed> (embed)
          - heimdal <unfixed> (embed)
  grip (which pkg is the origin?)
-         - libcdaudio
+         - libcdaudio <unfixed>
-         - grip
+         - grip <unfixed>
-         - gnome-vfs
+         - gnome-vfs <unfixed>
          TODO: check vfs2 as well
  fudforum
-         - phpgroupware-fudforum <unfixed> (embed)
+         [etch] - phpgroupware <unfixed> (embed)
-         - egroupware-fudforum <removed>
+         NOTE: phpgroupware-fudforum
-         [sarge] - egroupware-fudforum <unfixed> (embed)
+         [sarge] - egroupware-fudforum <removed> (embed)
+ libbsd
+         - rdate 1:1.2-3 (embed)
+         - atheme-services <unfixed>
+         - libbsd-arc4random-perl <unfixed>
+         - isakmpd <unfixed>
+         - bsdgames <unfixed> (embed)
+         - bsd-mailx <unfixed> (embed)
+         - netcat-openbsd <unfixed> (embed; bug #550611)
+         - openssh <unfixed> (embed)
+         - unworkable <unfixed> (embed)
  cvs
          - gcvs <unfixed> (embed)
          NOTE: see cvsunix/src in tarball
- pcre
+ pcre3
-         - python* <unfixed> (embed)
          - php4 <unknown> (embed)
          - analog 2:5.23-0woody1 (embed)
-         - libgoffice-1 <unfixed> (embed)
+         - goffice <unfixed> (embed)
+         NOTE: libgoffice-*
          - vfu 4.06-4.1 (embed; bug #450754)
          - tf5 5.0beta7-1 (embed)
-         - monotone <unfixed> (embed)
+         - monotone 0.43-1 (embed)
          NOTE: this only affects versions >= 0.37
-         - glib <unfixed> (embed)
+         - glib2.0 2.15.2-1 (embed)
-         NOTE: 2.14 series for gregex support, only for udeb, regular packag links dynamic
          - apache2 2.0.53-4 (embed)
          - exim4 4.10-0.srh20.12 (embed)
          - yacas <unfixed> (embed)
          NOTE: <= 1.0.x; is using pcre to scan text, can execute shell commands via the syntax anyway
          - gtamsanalyzer.app 0.42-5 (embed)
+         - tin 980117-1 (embed)
+         - kazehakase 0.5.2-1
+         - webkit 1.0.1-1 (embed)
+         - qt4-x11 <unfixed> (embed)
+         NOTE: embedded via webkit copy
+         - erlang <unfixed> (embed)
+         - ssed <unfixed> (embed)
  tiff
-         - wxpythongtk <unfixed> (embed)
+         - wxwindows2.4 2.2.1 (embed)
-         TODO: check, which debian pkg this is in
+         - gamera 3.2.3-1 (embed)
  uudeview
          - libconvert-uulib-perl <unfixed> (embed)
+         - pan <unfixed> (embed)
  sqlite (not affected by security vulnerabilities so far)
          - amarok <unfixed> (embed)
-         - monotone <unfixed> (embed)
+         - monotone 0.43-1 (embed)
          - iceweasel <unfixed> (embed)
+         - heimdal <unfixed> (embed; bug #559616)
  util-linux/mount
          - loop-aes-utils <unfixed> (embed)
          NOTE: contains code from util-linux' mount in the mount-aes-udeb
- webmin
-         - usermin <unknown> (embed)
-         [sarge] - usermin <unfixed> (embed)
  sylpheed
          - sylpheed-claws <unfixed> (fork)
-Line 176 
 phpsysinfo
+Line 258 
 phpsysinfo
          - phpgroupware <unfixed> (embed)
  phpldapadmin
-         - [sarge] egroupware <unfixed> (embed)
+         [sarge] - egroupware <unfixed> (embed)
          NOTE: removed from egroupware after sarge
  chmlib
          - kchmviewer <unknown> (embed)
- libavcodec/libavformat (source: ffmpeg)
+ ffmpeg (libavcodec/libavformat)
-         - mplayer <unfixed> (embed; bug #395252)
+         - mplayer 1.0~rc2-14 (embed; bug #395252)
-         - xvidcap <unfixed> (embed)
+         - kino 1.0.0-1
-         - kino <unfixed> (static)
+         - vlc <not-affected> (Links dynamically since initial release)
-         - vlc <unfixed> (static)
+         - smilutils 0.3.0-10
-         - smilutils <unfixed> (static)
+         NOTE: smilutils likely fixed earlier, marking Etch's version as fixed
-         - motion <unfixed> (static)
+         - motion 3.1.19-1
-         - gst-ffmpeg <unfixed> (embed)
+         - gstreamer0.10-ffmpeg 0.10.3-2
-         - gstreamer0.10-ffmpeg <unfixed> (embed)
+         - xmovie <removed> (static)
-         - xmovie <unfixed>
+         TODO: gimp-gap (potentially using ffmpeg code as well)
+         - avifile 1:0.7.48~20090503.ds-1 (embed; bug #538750)
+         - audacity 1.3.7-2 (embed; bug #512278)
+ faad2
+         - mplayer 1.0~rc2-20 (embed)
+         - avifile <unfixed> (embed; bug #538750)
+         - ffmpeg-debian <removed> (old-version)
- mad MPEG decoding lib
+ libmad (MPEG decoding lib)
-         - mad <unfixed> (embed)
          - xine-lib <unfixed> (embed)
+         - avifile 1:0.7.48~20090503.ds-1 (embed) [./plugins/libmad/*]
+         TODO: check ocaml-mad, madplay, pymad, xmms-mad, xmms2
- libdts:
  libdts
- xine-lib
+         - xine-lib <unfixed> (embed)
- flac:
  flac
- xine-lib
+         - xine-lib <unfixed> (embed)
- liba52:
+ liba52
- a52dec
+         - a52dec <unfixed> (embed)
- xine-lib
+         - xine-lib <unfixed> (embed)
- libmpeg2:
+ libmpeg2
- mpeg2dec
+         - mpeg2dec <unfixed> (embed)
- xine-lib
+         - xine-lib <unfixed> (embed)
- curl:
+ libntlm
- wget (code for NTLM authentication)
+         - wget <unfixed> (fork; bug #550436)
+         - curl <unfixed> (fork; bug #550437)
+         - cntlm <unfixed> (fork; bug #550438)
- TODO evaluate:
+ uw-imap
- gimp-gap (potentially using ffmpeg code as well)
+         - pine <unfixed> (embed)
+         - alpine <unfixed> (embed)
- uw-imap:
+ imagemagick
- pine
+         - graphicsmagick <unfixed> (fork)
- alpine
- imagemagick:
+ python-urlgrabber
- graphicsmagick
+         - mercurial <unfixed> (embed; bug #531062)
+         - w3af <unfixed> (embed; bug #555372)
+         [experimental] - harvestman <unfixed> (embed; bug #555373)
- halibut:
+ beautifulsoup
- nsis
+         - python-mechanize <unfixed> (embed; bug #555349)
+         - zope2.11 <unfixed> (embed; bug #555350)
+         - twill <unknown> (embed)
- libghttp:
+ halibut
- hotway
+         - nsis <unfixed> (fork)
- libsndfile:
+ libghttp
- ardour
+         - hotway <unfixed> (embed)
- glibmm2.4:
+ libsndfile
- ardour
+         - ardour 1:2.7.1-1 (embed)
- libgnomecanvasmm2.6:
+ glibmm2.4
- ardour
+         - ardour 1:2.7.1-1 (embed)
- libsigc++-2.0:
+ libgnomecanvasmm2.6
- ardour
+         - ardour 1:2.7.1-1 (embed)
- soundtouch:
+ libsigc++-2.0
- ardour
+         - ardour 1:2.7.1-1 (embed)
+ soundtouch
+         - ardour 1:2.7.1-1 (embed)
+ libmms
+         - xine-lib <unfixed> (embed)
+         - mimms <unfixed> (embed)
+ fckeditor
+         - knowledgeroot 0.9.8.5-3 (embed; bug #461555)
+         - moin 1.8.2-2 (embed; bug #452599)
+         - karrigell <removed> (embed; bug #452598)
+         - gforge 4.6.99+svn6225-1 (embed)
+         - request-tracker3.8 <unfixed> (embed)
+         - otrs2 <unfixed> (embed)
+ ipatlas (not packaged in Debian)
+         - moodle <unfixed> (embed; bug #507185)
+ libphp-phpmailer
+         - moodle <unfixed> (embed; bug #507185)
+         - mahara <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         [etch] - phpgroupware <unfixed> (embed)
+         NOTE: phpgroupware-felamimail is only in etch
+         - egroupware <unfixed> (embed; bug #504283)
+         - glpi <unfixed>
+ htmlArea (not packaged in Debian)
+         - moodle <unfixed> (embed)
+ giflib
+         - wine <unfixed> (embed; bug #466181)
+ bennu (not packaged in Debian, http://bennu.sourceforge.net)
+         - moodle <unfixed> (embed)
+ smarty
+         - moodle 1.8.2-2 (embed; bug #471158)
+         - gallery2 2.2.5-2 (embed; bug #471160)
+         - mahara 0.9.2-2 (embed; bug #471201)
+         - gosa 2.4beta1-1 (embed; bug #471200)
+ TinyMCE
+         - wordpress 2.5.1-3 (embed; bug #478257)
+         - moodle <unfixed> (embed; bug #507185)
+         - knowledgeroot <unfixed> (embed)
+         - joomla <itp> (bug #326398)
+ scintilla (upstream provides static lib, rejected shared lib http://sf.net/support/tracker.php?aid=2488121)
+         - scite <unfixed> (embed)
+         - qscintilla <unfixed> (embed)
+         - qscintilla2 <unfixed> (embed)
+         - geany <unfixed> (fork)
+         - anjuta <unfixed> (embed)
+ libphp-adodb
+         - moodle <unfixed> (embed; bug #507185)
+         NOTE: also AdoDB-XML Schema
+         - gallery2 <unfixed> (embed)
+         - phppgadmin <unfixed> (embed)
+         - egroupware <unfixed> (embed)
+         - phpwiki <unfixed> (embed)
+         - torrentflux 2.0beta1-2 (embed)
+         - ipplan <unfixed> (embed)
+         - typo3-src <unfixed> (embed)
+         - cacti <unknown> (embed)
+         [sarge] - cacti <unfixed> (embed)
+         NOTE: dependency exists, but internal version is used
+         - gforge 4.7~rc2-6 (embed)
+         - mahara <unfixed> (embed)
+ gzip
+         - linux-kernel <unfixed> (embed)
+         NOTE: lib/inflate.c
+         - klibc <unfixed> (embed)
+         NOTE: based on linux-kernel gzip code
+         - busybox <unfixed> (embed)
+ neon
+         - cadaver 0.22.3+debian-1 (embed; bug #188381)
+         - gnome-vfs2 <unfixed> (embed; bug #395874)
+         [etch] - litmus <unfixed> (embed; #395875)
+         - litmus <removed> (embed; #395875)
+         [sarge] - screem <unfixed> (embed)
+         - sitecopy 1:0.16.0-1 (embed; bug #395876)
+         [etch] - tla <unfixed> (embed; bug #395877)
+         [sarge] - tla <unfixed> (embed; bug #395877)
+ libmodplug
+         - gst-plugins-bad0.10 <unfixed> (embed)
+ libvncserver
+         - vino <unfixed> (embed)
+ putty
+         - filezilla <unfixed> (embed)
+ tinyxml (not packaged in Debian; itp bug #531968)
+         - filezilla <unfixed>
+         - crystalspace <unfixed> (embed)
+         - libwfut <unfixed> (embed)
+         - rarian <unfixed> (embed)
+         - bulletml <unfixed> (embed)
+         - pokerth <unfixed> (embed)
+         - qutecom <unfixed> (embed)
+         - sofa-framework <unfixed> (embed)
+         - yate <unfixed> (embed)
+         - antigrav <unfixed> (embed)
+         - balder2d <unfixed> (embed)
+         - cal3d <unfixed> (embed)
+         - criticalmass <unfixed> (embed)
+         - ember <unfixed> (embed)
+         - epiphany <unfixed> (embed)
+         - gambit <unfixed> (embed)
+         - noiz2sa <unfixed> (embed)
+         - ogre <unfixed> (embed)
+         - opencity <unfixed> (embed)
+         - openmovieeditor <unfixed> (embed)
+         - pouetchess <unfixed> (embed)
+         - tecnoballz <unfixed> (embed)
+         - trigger-rally <unfixed> (embed)
+         - xmoto <unfixed> (embed)
+         - mapnik <unknown> (embed)
+         NOTE: uses a different XML parser by default
+         - rrootage 0.23a-6 <embed>
+         NOTE: links to libbulltetml
+         - boson <unknown> (embed)
+         NOTE: the embedded code is unused
+ gv
+         - evince <unfixed> (embed)
+         NOTE: ps/ tree from gv 3.5.8
+         NOTE: evince-gtk is affected (a component of evince source package)
+ libXbae
+         - paw <removed> (embed)
+         [etch] - paw <unfixed> (embed)
+ libgtkhtml
+         - claws-mail-extra-plugins <unfixed> (fork)
+ libXaw
+         - paw <removed> (embed)
+         [etch] - paw <unfixed> (embed)
+         NOTE: I plan to deal with the above two cases after Etch release. -- KevinMcCarty
+ libgd2
+         - graphviz <unfixed> (embed)
+         NOTE: lib/gd seems to be 2.0.33
+         - wml <unfixed> (embed)
+         - libwmf <unfixed> (embed)
+         NOTE: derived from gd 1.6.3
+ rar
+         - unrar-nonfree <unfixed> (embed)
+ unrar-free (maybe this code is derived from the original rar, too?)
+         - clamav <unfixed> (embed)
+         NOTE: seems to be disabled in default config
+ mplayer (DirectMedia Object loader)
+         - xine-lib <unfixed> (embed)
+         NOTE: src/libw32dll/
+         - vlc <unfixed> (embed)
+         NOTE: modules/codec/dmo/
+         - mplayer 1.0~rc2-20 (embed)
+ libwpd (WordPerfect converter)
+         - openoffice.org <unfixed> (embed)
+ fsplib (http://sourceforge.net/projects/fsp/)
+         - gftp <unfixed> (embed)
+         NOTE: lib/fsplib version 0.3
+ sprng
+         - tree-puzzle <unfixed> (embed)
+ librpcsecgss
+         - krb5 <unfixed> (embed)
+ jasper
+         - ghostscript 8.64~dfsg-2 (embed)
+ libiris
+         - psi <unfixed> (embed)
+         - kdenetwork <unfixed> (embed)
+         NOTE: kopete embeds libiris but links dynamically to libidn
+         - kdegames <unfixed> (embed)
+         NOTE: ksirk/kde4
+ libidn
+         - monotone 0.43-1 (embed)
+         - psi <unfixed> (embed)
+         NOTE: psi embeds libiris which embeds libidn
+         - kdegames <unfixed> (embed)
+         NOTE: kdegames/kde4 embeds libiris which embeds libidn
+ lua5.1
+         - monotone 0.43-1 (embed)
+         - nmap 5.00-1 (embed; bug #527997)
+         [lenny] - nmap <unfixed> (embed; bug #527997)
+         - ocropus <unfixed> (embed)
+         - enigma <unfixed> (embed)
+         NOTE: requires lua built with C++
+         - freeciv <unfixed> (embed)
+         - spring <unfixed> (embed)
+ libbotan
+         - monotone 0.43-1 (embed)
+ NetXX
+         - monotone 0.43-1 (embed)
+ libgc
+         - mono <unfixed> (embed)
+ lzma
+         - p7zip <unfixed> (embed)
+         - xz-utils <unfixed> (fork)
+ lzo
+         - grub2 <unfixed> (embed)
+ yassl
+         - mysql-dfsg-5.0 <unfixed> (embed)
+ pax code
+         - tar <unfixed> (embed)
+         - cpio <unfixed> (embed)
+ t1lib
+         - tetex-bin 2.0.2-1 (embed)
+         - texlive-bin <unknown> (embed)
+ guichan
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+ tolua
+         - boswars <unfixed> (embed)
+         NOTE: maintainer notified us, working on it
+         NOTE: actually tolua++
+         - ocropus <unfixed> (embed)
+         NOTE: actually tolua++
+         - freeciv <unfixed> (embed)
+         NOTE: actually tolua++
+         - enigma <unfixed> (embed)
+ asio-dev
+         - luxrender <removed> (embed)
- libmms:
  xine-lib
- mimms
+         - vlc <unfixed> (embed)
+         NOTE: only parts included in modules/access/rtsp
+ netpbm
+         - tcl8.3 <unfixed> (embed)
+         - tcl8.4 <unfixed> (embed)
+         - tcl8.5 <unfixed> (embed)
+         NOTE: generic/tkImgGIF.c
+ tk8.5
+         - tk8.0 <removed> (old-version)
+         - tk8.3 <unfixed> (old-version)
+         - tk8.4 <unfixed> (old-version)
+         - perl-tk <unfixable> (fork)
+ samba
+         - mc 2:4.6.2~git20080311-1 (embed)
+         NOTE: maintainer is aware of this, currently searching a solution
+ plib1.8.4c2
+         - boson <unfixed> (fork)
+         NOTE: embedding the font pieces of plib, based on the header file it is forked, contains "Added by AB for boson." and similar
+ fribidi
+         - quesoglc <unfixed> (embed)
+         NOTE: compiled against system fribidi in Debian - embed only used when fribidi is not available on the system
+ glew
+         - quesoglc <unfixed> (embed; bug #489341)
+         NOTE: waiting on GLEW_MX version of glew (see bug #474488)
+         - trigger <unfixed> (embed)
+         NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html
+         - trigger-rally <unfixed> (embed)
+         NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg00007.html
+ minorGems (pabs contacted upstream about shared lib, he considers minorGems an 'ever-evolving collection of reusable code fragments' for his own use)
+         - transcend <unfixed> (embed)
+         - cultivation <unfixed> (embed)
+         - passage <unfixed> (embed)
+         - gravitation <unfixed> (embed)
+ tar
+         - libarchive <unfixed> (embed)
+         NOTE: FreeBSD tar (tar/bsdtar.c) in libarchive 1.2 and higher. libarchive ends up statically linked into bsdtar executable
- FCKeditor: (packaged as fckeditor)
+ cpio
- knowledgeroot
+         - libarchive <unfixed> (embed)
- moin (452599)
+         NOTE: cpio included in libarchive 2.2 and higher, but not compiled until libarchive 2.4.11-1 (as bsdcpio package)
- karrigell (452598)
- gforge-plugins-extra (fixed since 4.6.99+svn6225-1)
+ webkit
+         - qt4-x11 <unfixed> (embed; bug #479851)
+         [etch] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
+         [lenny] - qt4-x11 <not-affected> (webkit support introduced in version 4.4)
+         - kdelibs <unfixed> (old-version)
+         - kde4libs <unfixed> (fork)
+ ftgl
+         - blender 2.46+dfsg-1 (embed)
+ wv
+         - abiword <unfixed>
+ qemu
+         - kvm <unfixed> (embed; bug #543159)
+         NOTE: the kvm package will be removed from sid and squeeze soon (after
+         NOTE: which it will only be in experimental). superceded by qemu-kvm.
+         - qemu-kvm <unfixed> (embed; bug #560853)
+         - xen-3 3.4.2-2 (embed; bug #560856)
+         - xen-unstable <unfixed> (embed; bug #560856)
+ vgabios
+         - kvm <unfixed> (embed; bug #489442)
+ bochs
+         - kvm <unfixed> (embed; bug #489442)
+ speex
+         - vorbis-tools <unfixed> (embed)
+         NOTE: while comiled against libspeex-dev, ogg123/speex_format.c is compiled with embedded code copied from speexdec.c
+         - gst-plugins-good0.10 <unfixed> (embed)
+         - xine-lib <unfixed> (embed)
+         - libfishsound <unfixed> (embed)
+         - libannodex <removed> (embed)
+         - vlc <unfixed> (embed)
+         - xmms-speex <unfixed> (embed)
+         - libsdl-sound1.2 <unfixed> (embed)
+         - sweep <unfixed> (embed)
+ libreadline
+         - magic <itp> (old-version)
+ opcode
+         - ode <unfixed> (embed)
+         NOTE: opcode is not a package in debian, it is just embedded
+         NOTE: http://www.codercorner.com/Opcode.htm
+ gimpact
+         - ode <unfixed> (embed)
+         NOTE: gimpact is not a package in debian, it is just embedded
+         NOTE: http://gimpact.sf.net
+ mochikit
+         - mahara <unfixed> (embed)
+         NOTE: they require extra patches, still unmerged upstream
+         - ntop <unfixed> (embed)
+         - coherence 0.6.2-1 (embed)
+         - paste <unfixed> (embed)
+         - turbogears <unfixed> (embed)
+         - plone3 <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+         - libjifty-plugin-chart-perl <unfixed> (embed)
+         - sabnzbdplus <unfixed> (embed)
+         - tgmochikit <unfixed> (embed)
+ prototypejs
+         - netbeans-ide 6.0.1+dfsg-2 (embed)
+         - auth2db 0.2.5-2+dfsg-1 (embed; bug #555218)
+         - webcit <unfixed> (embed; bug #555219)
+         - asterisk 1:1.6.2.0~rc3-1 (embed)
+         - libjson-ruby 1.1.4-1 (embed; bug #555224)
+         - lucene2 2.9.1+ds1-2 (embed; bug #555226)
+         - horde3 <unfixed> (embed)
+         - knowledgeroot <unfixed> (embed; bug #555230)
+         - mediatomb <unfixed> (embed; bug #555233)
+         - mt-daapd 0.9~r1696.dfsg-6lenny2 (embed)
+         - ebug-http <removed> (embed; bug #555236)
+         - libaws 2.7-1 (embed; bug #555222)
+         - phpgedview <removed> (embed)
+         - poker-network <removed> (embed; bug #555238)
+         - rails 2.1.0-6 (embed)
+         - wordpress 2.5.0-2 (embed; bug #555243)
+         - zope <not-affected> (the prototypejs embed is not in any of the obvious zope packages, e.g. zope2.9, zope2.10, zope2.11, and zope3)
+         TODO: search through all of the other zope packages
+         - ampache 3.4.1-2 (embed)
+         - exaile 0.2.14+debian-2.1 (embed; bug #555245)
+         - hobix 0.5~svn20070319-4 (embed; bug #555247)
+         - zabbix 1.6.6-4 (embed; bug #555250)
+         - chora2 <unfixed> (embed; bug #555253)
+         - gollem <unfixed> (embed; bug # 555254)
+         - jscropperui 1.2.1-1 (embed; bug #555257)
+         - scriptaculous <not-affected> (uses system prototype.js since initial upload; bug #555260)
+         - ingo1 <unfixed> (embed; bug #555261)
+         - kronolith2 <unfixed> (embed; bug #555262)
+         - activeldap <unfixed> (embed)
+         - libv8 <not-affected> (contains a google-specific implementation of prototype.js)
+         - mantis <unfixed> (embed; bug #555265)
+         - otrs2 2.3.4-6 (embed; bug #555267)
+         - webcalendar <unfixed> (embed; bug #555269)
+         - redmine 0.9.0~svn2907-1 (embed; bug #555270)
+         - jifty 0.90519-1 (embed; bug #555271)
+         - jquery <unfixed> (embed; bug #555272)
+         - passenger 2.2.5debian1-1 (embed; bug #555273)
+         - plone3 <unfixed> (embed; bug #555275)
+         - wesnoth <not-affected> (prototype.js not included in any of the binary packages; bug #555277)
+         - libhtml-prototype-perl 1.48-3 (embed; bug #538920)
+         - xulrunner <unfixed> (embed)
+         NOTE: included in iceweasel/xulrunner unit tests directory, so may not be security-relevant
+ gdb
+         - insight <unfixed> (embed)
- Moodle contains lots of things:
+ e2fsprogs
- AdoDB
+         - ldiskfsprogs <unfixable> (fork)
- AdoDB-XML Schema
- ipatlas
+ quazip (not packaged in Debian)
- PHPMailer
+         - qcake <unfixed> (embed)
- Smarty
+         NOTE: starting with upstream version 0.6.4
- htmlArea
- TinyMCE
+ exo
- bennu
+         - pcmanfm <unfixed> (embed; bug #499677)
+         NOTE: slightly modified source code
+ java
+         - openjdk-6 <unfixed>
+         - sun-java5 <unfixed>
+         - sun-java6 <unfixed>
+ libphp-snoopy
+         - ampache 3.4.1-2 (embed; bug #504169)
+         - gforge 4.6.99+svn6094-2 (embed)
+         - mahara 1.0.5-2 (embed; bug #504170)
+         - pixelpost 1.7.1-5 (embed; bug #504171)
+         - mediamate 0.9.3.6-5 (embed; bug #504172)
+         - opendb <removed> (embed; bug #504173)
+         [etch] - opendb <unfixed> (embed; bug #504173)
+         - wordpress 2.5.1-9 (embed; bug #443948)
+         - moodle <unfixed> (embed; bug #507185)
+         [etch] - phpgroupware <unfixed> (embed)
+         NOTE: phpgroupware-felamimail
+         - magpierss 0.72-3 (embed; bug #431089)
+ jquery
+         - zekr <unfixed> (embed)
+         - wordpress <unknown> (embed)
+         - yocto-reader <unfixed> (embed)
+         - textpattern <unfixed> (embed)
+         - genshi 0.5.1-1 (embed)
+         NOTE: compressed file under examples/ dir
+         - prewikka <unfixed> (embed)
+         - libramaze-ruby <unfixed> (embed)
+         - drupal5 <unfixed> (embed)
+         - b2evolution <unfixed> (embed)
+         - wesnoth <unfixed> (embed)
+ tablesorter (jquery plugin, not packaged yet)
+         - wesnoth <unfixed> (embed)
+ kses
+         - wordpress <unfixed> (embed; bug #504242)
+         NOTE: their copy has all methods renamed to wp_<foo>
+         NOTE: kses isn't in Debian, RFP: #504240
+         - moodle <unfixed> (embed; bug #507185)
+         - egroupware <unfixed> (embed)
+ magpierss
+         - wordpress <unfixed> (embed; bug #504242)
+         - moodle <unfixed>
+ php-gettext
+         - wordpress 2.8.4-1 (embed; bug #504242)
+         - docbookwiki <unfixed> (embed)
+         NOTE: non-free
+ libphp-ixr (name may change, it is the Incutio XML-RPC)
+         - wordpress <unfixed> (embed; bug #504242)
+         NOTE: libphp-ixr isn't in Debian, RFP: #504236
+         - dokuwiki <unfixed> (embed)
+         - textpattern <unfixed> (embed)
+ libphp-cas
+         - glpi <unfixed> (embed)
+         - moodle <unfixed> (embed; bug #505984)
+ scriptaculous (prototype.js is among the embeds in the following)
+         - glpi <unfixed> (embed)
+         - libaws <unfixed> (embed; bug #555222)
+         - op-panel <unfixed> (embed)
+         - symfony <unfixed> (embed)
+         NOTE: maintainer says there are extra incompatible changes required
+         - pixelpost 1.7.1-6 (embed)
+         - webhelpers <unfixed> (embed)
+         - qwik <removed> (embed; bug #555241)
+         - smokeping <unfixed> (embed)
+         - turba2 <unfixed> (embed)
+         - typo3-src 4.2.3-1 (embed)
+         - request-tracker3.6 <unfixed> (embed)
+         - request-tracker3.8 <unfixed> (embed)
+         - rt-extension-emailcompletion <not-affected> (prototype.js not included in the binary package)
+         - wordpress 2.5.0-2 (embed)
+         - libhtml-prototype-perl 1.48-3 (embed)
+ libmarkdown-php
+         - moodle <unfixed> (embed; bug #507185)
+         - pixelpost 1.7.1-6 (embed)
+ php-openid
+         - wordpress-openid <itp> (embed)
+ geshi
+         - dokuwiki 0.0.20080505-3.1 (embed)
+         - pgfouine 1.0-1.1 (embed)
+         - websvn 2.1.0-1 (embed)
+ webcalendar
+         - gforge 4.7~rc2-6 (embed; bug #504758)
+ libical
+         - kdepim <unfixed> (fork)
+         - kdepimlibs <unfixed> (fork)
+         NOTE: fixed in KDE4 post 4.1.x series
+         - claws-mail-extra-plugins <unfixed> (fork)
+ libltdl3
+         - kdelibs <unfixed> (embed)
+         NOTE: it's been said it sets RT_GLOBAL (or something like that) at runtime and version in experimental of libltdl can optionally set it
+         - synfig <unfixed> (embed)
+ harfbuzz
+         - qt4-x11 <unfixed> (embed)
+ libzip
+         - php5 <unfixable> (modified-embed)
+         - odt2txt <unfixed> (embed; bug #523808)
+ json.php (not packaged; should be replaced with php's built-in functions)
+         - moodle <unfixed>
+         - yui <unfixed>
+         - gallery2 <unfixed>
+         - dokuwiki <unfixed>
+         - typo3-src <unfixed>
+ php-fpdf
+         - tcpdf <itp> (fork)
+         - moodle <unfixed>
+         - phpwiki <unfixed>
+         - egroupware <unfixed>
+         - ldap-account-manager <unfixed> (fork)
+ tcpdf (itp: #495985)
+         - moodle <unfixed>
+         - phpmyadmin <unfixed>
- TinyMCE:
- wordpress
- moodle
- knowledgeroot
- joomla (ITP)
- scintilla:
- scite
- qscintilla
- qscintilla2
- geany
- libphp-adodb:
- gallery2
- phppgadmin
- egroupware
- phpwiki
- ipplan
  typo3
- moodle
+         - moodle <unfixed>
- cacti (dependency exists, but internal version is used -- only in sarge, fixed in etch)
- gzip:
+ spreadsheet_writeexcel (PHP port of libspreadsheet-writeexcel-perl; itp: #487557)
- linux-kernel (lib/inflate.c)
+         - moodle <unfixed>
- klibc (based on linux-kernel gzip code)
+         - gosa <unfixed>
- busybox
+ php-ole (itp: #487558)
+         - moodle <unfixed>
+ pieforms (http://www.catalyst.net.nz)
+         - mahara <unfixed>
+ savant2 (http://phpsavant.com)
+         - egroupware <unfixed>
+ rssparser (http://nwow.org)
+         - egroupware <unfixed>
+         - phpgroupware <unfixed>
+ lcms
+         - openjdk-6 <unfixed> (fork)
+ libphp-phplayersmenu
+         - diogenes <unfixed>
+         - phpldapadmin <unfixed>
+ libphp-pclzip
+         - docvert <unfixed>
+         - moodle <unfixed>
+         - egroupware <unfixed>
+ libphp-simplepie
+         - dokuwiki <unfixed>
+         - wordpress <unfixed>
+ libphp-jpgraph
+         - egroupware <unfixed>
+ php-simpletest
+         - moodle <unfixed>
+ libpng
+         - iceweasel <not-affected> (uses xulrunner)
+         - icedove 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1, 2.0.0.19-1 (embed)
+         - iceape 1.0.13~pre080614i-0etch1 (embed)
+         - xulrunner 1.9.0.13-1 (embed)
+         [lenny] - xulrunner 1.9.0.11-0lenny1
+         [etch] - xulrunner 1.8.0.15~pre080614i-0etch1 (embed)
+         - gamera 3.2.3-1 (embed)
+ irssi
+         - silc-client <unfixed> (embed)
+         NOTE: Seems to be a pre-0.8.12 version that is used in irssi-plugin-silc
+ extc
+         - mtasc <unfixed> (embed)
+         - haxe <unfixed> (embed)
+ swflib
+         - mtasc <unfixed> (embed)
+         - haxe <unfixed> (embed)
+ libitext-java
+         - bouncycastle 2.1.4-1 (embed)
+ python-ply
+         - pyke <unfixed> (embed; bug #555363)
+         - pywbem 0.7.0-4 (embed; bug #555364)
+         - sepolgen <unfixed> (embed; bug #555365)
+         - zope-textindexng3 <unknown> (embed)
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unknown> (embed)
+         - wireshark <not-affected> (python-ply modules are not installed into binary packages; see #554613)
+ libdumbnet (libdnet upstream)
+         - nmap <unfixed> (fork)
+ gcc-4.4
+         - gcc-mingw32 <unfixed> (embed)
+ camlimages
+         - advi <unfixed> (static; bug #550441)
+ memcached
+         - memcachedb <unfixed> (embed)
+ yajl
+         - argyll <unfixed> (embed; bug #544223)
+         NOTE: reference, confirmed by build logs: http://lists.debian.org/debian-mentors/2009/08/msg00062.html
+ nusoap
+         - gforge 4.8.2-1 (embed)
+         - ampache <unfixed> (embed)
+         - poker-web <unfixed> (old-version)
+         - moodle <unfixed> (old-version)
+         NOTE: code is not used when running under php5 and soap is enabled
+         - phpwiki <unfixed> (old-version)
+         - gallery2 <unfixed> (old-version)
+         - typo3-src <unfixed> (old-version)
+ libept
+         - adept <unfixed> (embed; bug #540649)
+ libvorbis
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
- neon:
+ cairo
- cadaver (all, but being worked on: #188381)
+         - iceweasel <not-affected> (uses xulrunner)
- gnome-vfs2 (#395874)
+         - xulrunner 1.8.0.15~pre080614i-0etch1 (embed)
- litmus (#395875)
- screem (sarge only)
+ liboggz
- sitecopy (#395876)
+         - iceweasel <not-affected> (uses xulrunner)
- tla (etch/sid only: #395877)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
- libmodplug:
+ liboggplay
- gst-plugins-bad0.10
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed)
+         [etch] - iceape <not-affected> (introduced in 2.0)
+         [lenny] - iceape <not-affected> (introduced in 2.0)
- libvncserver:
+ php-net-dnsbl
- vino
+         - serendipity <unfixed> (embed)
- putty:
+ php-onyx-rss
- filezilla
+         - serendipity <unfixed> (embed)
- tinyxml (not packaged in Debian):
+ php-text-wiki
- filezilla
+         - serendipity <unfixed> (embed)
+ php-xml-rpc
+         - serendipity <unfixed> (embed)
+ polarssl (does not have a shared library)
+         - pdkim <itp> (embed; bug #543150)
+         - xyssl <unfixed> (old-version)
+ pidgin
+         - gaim <removed> (old-version)
+         - qutecom <unfixed> (embed; bug #559785)
+ icu
+         - webkit 1.0.1-1 (embed; bug #547214)
+         - texlive-bin <unfixed> (fork)
+         NOTE: texlive upstream working with icu upstream to merge their changes
+ cyrus-imapd-2.2
+         - kolab-cyrus-imapd <unfixed> (fork)
+         - dovecot 1:1.2.1-1 (embed) [/dovecot-sieve/src/libsieve/*]
+ python-cxx-dev
+         - freecad 0.9.2646.3-1 (embed; bug #547936)
+ zipios++
+         - freecad 0.9.2646.3-1 (embed; bug #547941)
+         - enigma 0.92.3-3 (embed)
+         NOTE: likely fixed earlier, marking etch's version as fixed
+ linux-2.6
+         - kvm <removed> (embed; bug #549973) [./kernel/*]
+         - linux-kbuild-2.6 <unfixed> (embed; bug #550379) [./kbuild/*]
+         - kernel-source-2.6.8 <removed> (old-version)
+         - kernel-source-2.4.27 <removed> (old-version)
+         - kernel-source-2.4.24 <removed> (old-version)
+         - kernel-source-2.2.25 <removed> (old-version)
+         - kernel-source-2.2.20 <removed> (old-version)
+ libfdt (not yet packaged separately for debian; http://www.jdl.com/software/)
+         - kvm <removed> (embed) [./libfdt/*]
+         - qemu-kvm <unfixed> (embed) [./libfdt/*]
+ qweb (not packaged)
+         - ajaxterm <unfixed>
+ opensaml2
+         - opensaml <removed> (old-version)
+ shibboleth-sp2
+         - shibboleth-sp <removed> (old-version)
+ tuxonice-userui
+         - suspend2-userui <removed> (old-version)
+ expat
+         - w3c-libwww <removed> (embed; bug #551941)
+         [etch] - w3c-libwww <unfixed> (embed; bug #551941) [./modules/expat/*]
+         - python-xml <unfixed> (embed; bug #551940) [./extensions/expat/*]
+         - python2.5 <unfixable> (embed; bug #553403) [./Modules/expat/*]
+         - python2.4 <unfixable> (embed; bug #553403)
+         - python-4suite <unfixed> (embed; bug #516935)
+         - wxwindows2.4 <removed> (embed)
+         - wxwidgets2.6 2.6.3.2.2-4 (embed)
+         - wxwidgets2.8 2.8.10.1-2 (embed)
+         - celementtree 1.0.5-8 (embed)
+         NOTE: Maybe that was fixed even earlier
+         - audacity 1.3.2-1 (embed)
+         - matanza <unfixed> (embed)
+         - tdom 0.8.3~20080525-1 (embed)
+         - udunits 2.1.8-4 (embed)
+         - apr-util 1.2 (embed)
+         - ayttm <unfxed> (embed; bug #561006)
+         - cableswig <unfixed> (embed)
+         - cadaver <unfixed> (embed)
+         - cmake 2.6.0-6 (embed)
+         - coin3 <unfixed> (embed)
+         - gdcm 2.0.14-2 (embed)
+         - ghostscript <unfixed> (embed)
+         - grmonitor <removed> (embed)
+         - iceape <unfixed> (embed)
+         - insighttoolkit 3.16.0-1 (embed)
+         NOTE: insighttoolkit might've been fixed earlier
+         - libparagui1.1 1.0.2-1 (embed)
+         - paraview <unfixed> (embed)
+         - poco <unfixed> (embed)
+         - simgear <unfixed> (embed)
+         - sitecopy 1:0.16.0-1
+         - smart 1.0-1 (embed)
+         - swish-e <unfixed> (embed)
+         - tla <unfixed> (embed)
+         - vtk 4.1.20030227-1 (embed)
+         - wbxml2 <unfixed> (embed)
+         - xmlrpc-c <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+         - kompozer <unfixed> (embed)
+         - vxl 1.13.0-2 (embed)
+         - xulrunner <unfixed> (embed)
+         - apache2 2.2 (embed)
+         - texlive-bin <not-affected> (Embedded code not compiled in)
+         - vnc4 <unfixed> (embed)
+         - xotcl <unfixed> (embed)
+ xerces-c
+         - xerces-c2 <unfixed> (old-version)
+         - xerces27 <removed> (old-version)
+ md5 (RSA's version; not the gnu version provided by coreutils)
+         - w3c-libwww <removed> (embed; bug #551942)
+         [etch] - w3c-libwww <unfixed> (embed; bug #551942) [./modules/md5/*]
+ enet
+         - sauerbraten <unfixed> (embed; #497194)
+ eglibc
+         - glibc <removed> (old-version)
+ galib
+         - gamera 3.2.3-1 (embed)
+ configobj
+         - bzr <unfixed> (embed; bug #555336)
+         - elisa <unfixed> (embed; bug #555337)
+         - gaupol <unfixed> (embed; bug #555338)
+         - ipython <unfixed> (embed; bug #555339)
+         - pida <unfixed> (embed; bug #555340)
+         - psychopy <unfixed> (embed; bug #555341)
+         - rest2web <unfixed> (embed; bug #555342)
+         - auth2db <unknown> (embed)
+         - dynagen <unknown> (embed)
+         - iceweasel <unknown> (embed)
+         - sabnzbdplus <unknown> (embed)
+         - xulrunner <unknown> (embed)
+         - nipy <not-affected> (part of an example [/examples/neurospin/neurospy/configobj.py], which is not installed into binary packages)
+ python-clientform
+         - bibus <unfixed> (embed; bug #555332)
+         - zope2.10 <unfixed> (embed; bug #555333)
+         - zope2.11 <unfixed> (embed; bug #555334)
+         - python-mechanize <unknown> (embed)
+         - twill <unknown> (embed)
+ python-mechanize
+         - zope2.10 <unfixed> (embed; bug #555337)
+         - zope2.11 <unfixed> (embed; bug #555338)
+         - twill <unknown> (embed; bug #555339)
+ pexpect
+         - duplicity 0.6.06-1 (embed; bug #555361)
+         - hplip <unfixed> (embed; bug #555362)
+         - smart <unfixed> (embed; bug #555363)
+ pyparsing
+         - bauble <unfixed> (embed; bug #555366)
+         - boa-constructor 0.6.1-8 (embed; bug #555367)
+         - calibre <unfixed> (embed; bug #555368)
+         - matplotlib <unfixed> (embed; bug #531024)
+         - zhpy <unfixed> (embed; bug #555370)
+         - polybori <unknown> (embed)
+         - python-whoosh <unknown> (embed)
+         - twill <unknown> (embed)
+         - zope-textindexng3 <unknown> (embed)
+ python-pysqlite2
+         - python2.4 <unfixed> (embed; bug #553403)
+         - python2.5 <unfixed> (embed; bug #553403)
+ celementtree
+         - python2.5 <unfixed> (embed)
+         - smart 1.0-1 (embed)
+         [etch] - smart <unfixed> (embed)
+ elementtree
+         - python2.5 <unfixed> (embed)
+         - bzr <unfixed> (embed; bug #555343)
+         - gedit 2.28.2-1 (embed; bug #555344)
+         - smart 1.0-1 (embed)
+         [etch] - smart <unfixed> (embed)
+         - solfege <unfixed> (embed; bug #555345)
+         - w3af <unfixed> (embed; bug #555346)
+         - python-qt4 <unknown> (embed)
+         - sphinx <unknown> (embed)
+         - python-nltk <itp> (embed)
+ python2.5
+         - python2.4 <unfixed> (old-version)
+         - jython <unfixed> (embed)
+         NOTE: embeds many stdlib modules
+         - python-django <unfixed> (embed; bug #555419)
+         NOTE: embeds stdlib modules: doctest, decimal
+         - gamera 3.2.3-1 (embed)
+         NOTE: embeds stdlib modules: ConfigParser, optparse, sets, textwrap
+         - boa-constructor <unfixed> (embed; bug #555426)
+         NOTE: embeds stdlib modules: ConfigParser, tarfile, zipfile, xmlrpclib
+         - nicotine <unfixed> (embed; bug #555427)
+         NOTE: embeds stdlib modules: ConfigParser
+         - museek+ <unfixed> (embed; bug #555428)
+         NOTE: embeds stdlib modules: ConfigParser
+         - vegastrike-data <unfixed> (embed)
+         NOTE: embeds many stdlib modules
+         - codespeak-lib 1.1.1-1 (embed; bug #555420)
+         NOTE: embeds stdlib modules: doctest, optparse, subprocess, textwrap
+         - config-manager <unfixed> (embed; bug #555423)
+         NOTE: embeds stdlib modules: optparse
+         - jhbuild 2.28.0-1 (embed; bug #555421)
+         NOTE: embeds stdlib modules: optparse, subprocess
+         - smart <unfixed> (embed; bug #555432)
+         NOTE: embeds stdlib modules: optparse
+         - pyprotocols 1.0a.svn20070625-5 (embed; bug #555433)
+         NOTE: embeds stdlib modules: doctest
+         - ruledispatch 0.5a.svn20080510-4 (embed; bug #555434)
+         NOTE: embeds stdlib modules: doctest
+         - distribute <unfixed> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - python-setuptools <unfixed> (embed; bug #555435)
+         NOTE: embeds stdlib modules: doctest
+         - zope.testing <unfixed> (embed; bug #555436)
+         NOTE: embeds stdlib modules: doctest
+         - translate-toolkit <unfixed> (embed; bug #555422)
+         NOTE: embeds stdlib modules: textwrap, contextlib
+         - libtpclient-py <unfixed> (embed; bug #555424)
+         NOTE: embeds stdlib modules: subprocess
+         - grass <unfixed> (embed; bug #555425)
+         NOTE: embeds stdlib modules: subprocess
+         - coherence <unfixed> (embed; bug #555429)
+         NOTE: embeds stdlib modules: uuid
+         - python-django-extensions 0.4.2pre+git200911182050-1 (embed; bug #555430)
+         NOTE: embeds stdlib modules: uuid
+         - setroubleshoot <unfixed> (embed; bug #555431)
+         NOTE: embeds stdlib modules: uuid
+         - linkchecker <unfixed> (embed; bug #555414)
+         NOTE: embeds msgfmt.py script
+         - imdbpy <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - kiwi <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - moin <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: cgitb, difflib, tarfile
+         - plone3 <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - roundup <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: cgitb
+         - rednotebook <unfixed> (embed; bug #555415)
+         NOTE: embeds msgfmt.py script
+         - turbogears <unfixed> (embed)
+         NOTE: embeds msgfmt.py script
+         - elisa <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: uuid
+         - calibre <unfixed> (embed)
+         NOTE: embeds msgfmt.py script, stdlib modules: zipfile
+         - mailman <unfixed> (embed; #555416)
+         NOTE: embeds msgfmt.py script
+         - python-docutils <unknown> (embed)
+         NOTE: embeds stdlib modules: optparse, textwrap
+         - python-imaging <unknown> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - python-mechanize <unknown> (embed)
+         NOTE: embeds stdlib modules: doctest
+         - twill <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - zeroc-ice <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - wxwidgets2.8 <unknown> (embed)
+         NOTE: embeds stdlib modules: subprocess
+         - cycle <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - deluge <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - opendict <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - openerp-client <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - rapidsvn <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - wammu <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - gaphor <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - pida <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - python-formencode <unknown> (embed)
+         NOTE: embeds msgfmt.py script
+         - duplicity <unfixed> (embed)
+         NOTE: embeds stdlib module: urlparse, tarfile
+         - pygopherd <unfixed> (embed)
+         NOTE: embeds stdlib module: zipfile
+ argparse
+         - twill <unfixed> (embed; bug #555347)
+         - ipython <unfixed> (embed; bug #555348)
+ coherence
+         - elisa <unfixed> (embed; bug #555335)
+ simpletal
+         - plastex <unfixed> (embed; bug #555371)
+ flickrpc (not packaged in Debian, http://burtonini.com/bzr/flickrpc/)
+         - postr <unfixed> (embed)
+         - elisa <unfixed> (embed)
+ simplegeneric (not packaged in Debian, http://pypi.python.org/pypi/simplegeneric)
+         - apertium-tolk <unfixed> (embed)
+         - ipython <unfixed> (embed)
+         - virtaal <unfixed> (embed)
+ distribute
+         - setuptools <removed> (old-version)
+ rails
+         - jruby1.2 <unfixed> (embed) [./bench/rails/*]
+         - libgettext-ruby <unfixed> (embed) [./samples/rails/*]
+         - libopenid-ruby <unfixed> (embed) [./examples/rails_openid/*]
+         - thin <unfixed> (embed) [./spec/rails_app/*]
+         NOTE: this is a subdirectory of examples, which in general is a non-issue, but may
+         NOTE: be dangerous if developers are naively basing their code off of the examples
+         NOTE: prototype.js is among the example files
+ lucene2 (prototype.js is among the embeds in the following)
+         - lucene <unfixed> (old-version)
+         - pylucene <unfixed> (embed)
+         - libpdfbox-java <unfixed> (embed)
+         - libfontbox-java <unfixed> (embed)
+         - libjempbox-java <unfixed> (embed)
+         - solr <unfixed> (embed)
+ unicode-data
+         - syslinux <unfixed> (embed)
+         - camomile <unfixed> (embed)
+         - fribidi <unfixed> (embed)
+         - m17n-db <unfixed> (embed)
+         - sbcl <unfixed> (embed)
+         - heimdal <unfixed> (embed)
+         - icu <unfixed> (embed)
+         - icu4j <unfixed> (embed)
+         - krb5 <unfixed> (embed)
+         - moodle <unfixed> (embed)
+         - openldap <unfixed> (embed)
+         - pike7.6 <unfixed> (embed)
+         - samba <unfixed> (embed)
+         - samba4 <unfixed> (embed)
+         - cmucl <unfixed> (embed)
+         - typo3-src <unfixed> (embed)
+         - mauve <unfixed> (embed)
+         - texlive-bin <unfixed> (embed)
+         - ypsilon <unfixed> (embed)
+         - jeuclid <unfixed> (embed)
+         - charmap.app <unfixed> (embed)
+         - clisp <unfixed> (embed)
+         - gnulib <unfixed> (embed)
+         - opensrs-client <unfixed> (embed)
+         - saxonb <unfixed> (embed)
+         - rails <unfixed> (embed)
+ feedparser
+         - rawdog <unfixed> (embed; bug #383422)
+         - miro <unfixed> (embed; bug #555351)
+         - calibre <unfixed> (embed; bug #555352)
+         - freevo <unfixed> (embed; bug #555353)
+         - pida <unfixed> (embed; bug #555354)
+         - planet-venus <unfixed> (embed; bug #555355)
+         - plone3 <unfixed> (embed; bug #555356)
+         - exaile 0.2.14+debian-1 (embed)
+         - screenlets 0.1.2-3 (embed)
+         NOTE: included twice
+ agg:
+         - matplotlib <unfixed> (embed: bug #377271)
+         - contextfree <unfixed> (embed)
+         NOTE: since 2.2-1 it links statically to system libagg, but still uses the embedded copy
+         - exactimage <unfixed> (embed)
+         - python-enable <unfixed> (embed)
+         - mapnik 0.5.1-3 (embed)
+         NOTE: links statically to agg, but shared library is not available (bug #377271)
+ vtk
+         - paraview <unfixable> (embed; bug #495426)
+ txt2tags
+         - rednotebook <unfixed> (embed)
+ htmltextview (not packaged in Debian, http://www.gnome.org/~gjc/htmltextview.py)
+         - gajim <unfixed> (embed)
+         - emesene <unfixed> (embed)
+         - convirt <unfixed> (embed)
+         - pida <unfixed> (embed)
+         - rednotebook <unfixed> (embed)
+ horde3 (prototype.js is among the embeds in the following)
+         - mnemo2 <unfixed> (embed)
+         - nag2 <unfixed> (embed)
+         - wordpress <unfixed> (embed)
+         NOTE: Text_Diff (wp-includes/Text/Diff*)
- gv:
+ cimg
- evince (ps/ tree from gv 3.5.8)
+         - gmic <itp> (embed)
- evince-gtk (not packaged in Debian)
- libXbae:
+ mootools
- libpawlib2-lesstif package (from Cernlib)
+         - gmic <itp> (embed)
- libXaw:
+ openldap
- libpawlib2-lesstif package (from Cernlib)
+         - openldap2.3 <removed> (old-version)
- (I plan to deal with the above two cases after Etch release. -- KevinMcCarty)
+ grub2
+         - grub <unfixed> (old-version)
- libgd2:
+ gnupginterface
- graphviz (lib/gd seems to be 2.0.33)
+         - duplicity <unfixed> (embed)
- rar:
+ python-dateutil
- unrar-nonfree
+         - awn-extras-applets <unfixed> (embed)
+         - matplotlib <unknown> (embed)
+ cups
+         - cupsys <removed> (old-version)
+ yui
+         - bcfg2 <not-affected> (present in source but not included in any binary files)
+         - serendipity <unfixed> (embed; bug #557746)
+         - moodle 1.8.2.dfsg-5 (embed)
+         - jifty 0.91117-1 (embed; bug #557748)
+         - webgui 7.7.26-1 (embed)
+         - loggerhead 1.17-1 (embed)
+ quake3 (vanilla source not packaged in debian)
+         - openarena <unfixable> (fork)
+ quake2 (vanilla source not packaged in debian)
+         - alien-arena <unfixable> (fork)
+         - warsow <unfixable> (fork)
+ libtheora
+         - iceweasel <not-affected> (uses xulrunner)
+         - xulrunner <unfixed> (embed; bug #540959)
+         [etch] - xulrunner <not-affected> (introduced in firefox 3.5)
+         [lenny] - xulrunner <not-affected> (introduced in firefox 3.5)
+         - iceape <unfixed> (embed; bug #559276)
+         [etch] - iceape <not-affected> (introduced in iceape 2.0)
+         [lenny] - iceape <not-affected> (introduced in iceape 2.0)
+ dtoa
+         - bfilter <unfixed> (embed)
+         - cacao <unfixed> (embed)
+         - cdrdao <unfixed> (embed)
+         - classpath <unfixed> (embed)
+         - freej <unfixed> (embed)
+         - iceape <unfixed> (embed)
+         - iceweasel <unfixed> (embed)
+         - jscoverage <unfixed> (embed)
+         - kde4libs <unfixed> (embed)
+         - kdelibs <unfixed> (embed)
+         - kompozer <unfixed> (embed)
+         - libv8 <unfixed> (embed)
+         - mono <unfixed> (embed)
+         - newlib <unfixed> (embed)
+         - nspr <unfixed> (embed)
+         - php5 <unfixed> (embed)
+         - polyml <unfixed> (embed)
+         - qt4-x11 <unfixed> (embed)
+         - rhino <unfixed> (embed)
+         NOTE: code translated to Java
+         - ruby1.8 <unfixed> (embed)
+         - ruby1.9 <unfixed> (embed)
+         - ruby1.9.1 <unfixed> (embed)
+         - sdd <unfixed> (embed)
+         - sfind <unfixed> (embed)
+         - star <unfixed> (embed)
+         - tinymux <unfixed> (embed)
+         - virtualbox-ose <unfixed> (embed)
+         - webkit <unfixed> (embed)
+         - xulrunner <unfixed> (embed)
+ ipc (not packaged in Debian; see http://mozdev.org/pipermail/enigmail/2009-November/011678.html)
+         - firegpg <unfixed> (embed)
+         - enigmail <unfixed> (embed)
+ ptmalloc (not packaged in Debian)
+         - crystalspace <unfixed> (embed)
+         - qt4-x11 <unfixed> (embed)
+ svgalib
+         - usplash <unfixed> (embed)
- unrar-free: (maybe this code is derived from the original rar, too?)
+ bogl
- clamav (seems to be disabled in default config)
+         - usplash <unfixed> (embed)
- mplayer (DirectMedia Object loader):
+ taglist
- xine-lib (src/libw32dll/)
+         - usplash <unfixed> (embed)
- vlc (modules/codec/dmo/)
+ portaudio
+         - audacity <unfixed> (embed; bug #323711)
+ nyquist
+         - audacity <unfixed> (embed)
+         NOTE: embeds a forked nyquist with support for a shared library
+ vamp-plugin-sdk
+         - audacity <unfixed> (embed)
+ wordpress
+         - libwordpress-xmlrpc-perl <removed> (embed) [./xmlrpc.php]
- libwpd (WordPerfect converter):
+ php5
- openoffice.org
+         - php4 <removed> (old-version)
- fsplib (http://sourceforge.net/projects/fsp/):
+ classpath
- gftp (lib/fsplib version 0.3)
+         - libgnucrypto-java <unfixed> (embed; bug #559788)
- librpcsecgss:
+ libtool
- krb5
+         - apr <unfixed> (static; bug #489625)
+         NOTE: ships copy of libtool in libapr1-dev; was 'embed' before 1.3.2-3
+         - arts <unfixed> (embed)
+         - bochs 2.4.2-1 (embed; bug #560884)
+         - camserv <unfixed> (embed)
+         - collectd <unfixed> (embed)
+         - courier-authlib 0.58-4 (embed)
+         NOTE: The etch version of courier-authlib was the earliest version checked, might be fixed earlier
+         - cvsnt <unfixed> (embed)
+         - dico <not-affected> (Uses the system copy of ltdl)
+         - freeradius 0.1+20010527-1 (embed)
+         NOTE: Earliest reference I could find from the changelog is from 27 May 2001
+         - ggobi 2.1.9~20091212-1 (embed)
+         - glame 2.0.1-4 (embed)
+         NOTE: The etch version of glame was the earliest version checked, might be fixed earlier
+         - gnash <unfixed> (embed)
+         - gnu-smalltalk <unfixed> (embed)
+         - google-gadgets 0.10.5-0.3 (embed)
+         NOTE: 0.10.5-0.3 was the earliest version checked, was fixed earlier
+         - graphicsmagick 1.3.5-6 (embed)
+         - graphviz 2.8-3 (embed)
+         NOTE: The etch version of graphviz was the earliest version checked, might be fixed earlier
+         - guile-1.6 1.6.8-7 (embed)
+         - hamlib <unfixed> (embed)
+         - hercules <unfixed> (embed)
+         - jags 1.0.4-3 (embed; bug #560864)
+         - kdelibs <unfixed> (embed)
+         - libannodex <removed> (embed)
+         - libextractor <unfixed> (embed)
+         - libmcrypt <not-affected> (libtool source present but not included in any of the binary packages)
+         - libtunepimp <unfixed> (embed)
+         - mp4h <unfixed> (embed)
+         - naim <unfixed> (embed)
+         - parser-mysql <unfixed> (embed)
+         - pinball <unfixed> (embed)
+         - redland <unfixed> (embed)
+         - siproxd <unfixed> (embed)
+         - ski <unfixed> (embed)
+         - synfig <unfixed> (embed)
+         - unixodbc 2.2.4-5 (embed)
+         - xmlsec1 <not-affected> (Doesn't enable dynamic loading of crypto modules)
+         - clamav 0.95+dfsg-1 (embed)
+         - imagemagick 6:6.2.3.1-1 (embed)
+         - hypre 2.4.0b-5 (embed)
+         - lam <unfixed> (embed)
+         - openmpi <unfixable> (embed; bug #559386)
+         - parser <unfixed> (embed)
+         - pdsh 2.18-5 (embed; bug #560892)
+         - sbnc 1.2-8 (embed)
+         - sdcc <unfixed> (embed)
+         - wml <unfixed> (embed)
+         - proftpd-dfsg <unfixed> (embed; bug #561748)
+         - babel 1.4.0.dfsg-5 (embed)
+         - libprelude 0.9.14-2 (embed)
+         - heartbeat 2.1.4-7 (embed)
+         NOTE: From Squeeze onwards the system copy of ltdl is used, use the current version from Squeeze,
+         NOTE: might've been fixed earlier
+         - gcc-* <unknown> (embed)
+ ocamlgsl
+         - orpie 1.5.1-7.1 (embed; bug #550058)
+ xdotool
+         - keynav <unfixed> (embed; bug #560103)
+ bulletphysics (not packaged; http://www.bulletphysics.org/)
+         - supertuxkart <unfixed> (embed)
+         - blender <unfixed> (embed)
- jasper:
  ghostscript
- gs-gpl
+         - gs-gpl <removed> (old-version)
- libidn:
+ icedove
- monotone
+         - thunderbird <removed> (old-version)
- liblua:
+ sizzlejs (not packaged in Debian, http://sizzlejs.com/)
- monotone
+         - libjs-jquery <unfixed> (embed)
- libbotan:
+ sed
- montone
+         - ssed <unfixed> (fork)
- NetXX:
+ phpatomlib (http://code.google.com/p/phpatomlib)
- monotone
+         - wordpress <unfixed> (embed)
- libgc:
+ Services_JSON (http://pear.php.net/package/Services_JSON)
- mono
+         - wordpress <unfixed> (embed)
- lzma:
+ phpass (http://www.openwall.com/phpass/)
- p7zip
+         - gallery2 <unfixed> (embed)
+         - wordpress <unfixed> (embed)
+         - typo3-src <unfixed> (fork)
+         NOTE: file refers to drupal, maybe there's a copy somewhere there
+         NOTE: a copyright owner search didn't match anything
+         - libauthen-passphrase-perl <unfixable> (fork)
+         NOTE: perl implementation of phpass
- lzo:
+ squirrelmail
- grub2
+         - wordpress <unfixed> (embed)
+         NOTE: class-pop3.php
- pax code:
+ ezSQL (http://www.woyano.com/jv/ezsql)
- tar
+         - wordpress <unfixable> (fork)
- cpio
+         NOTE: wp-db.php
+ Diff.php (Clay Loveless' version/killersoft.com)
+         - php-versioncontrol-svn <unfixed>
- t1lib:
+ libm
- tetex-bin (links to system t1lib since 2.0.2)
+         - spring <unfixed> (embed)
- texlive-bin (links to system t1lib)
+         NOTE: embedded by embedded copy of streflop
+ streflop
+         - spring <unfixed> (embed)
+ minizip
+         - spring <unfixed> (embed)
+ oscpack
+         - spring <unfixed> (embed)
+ hpiutil2
+         - spring <unfixed> (embed)
+ p7zip
+         - spring <unfixed> (embed)

 Legend:



Removed from v.7830
 


changed lines


 
Added in v.13712
 Legend:



Removed from v.7830
 


changed lines


 
Added in v.13712
-Removed from v.7830
+Added in v.13712

	ViewVC Help
Powered by ViewVC 1.1.5