secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

abcmidi
acpid (653502)
alsaplayer
amarok (653354)
amule (653503)
apt (653504)
asterisk
audiofile (651029)
avahi
barnowl (653506)
beid
blender
bluez-hcidump
bochs
bsdgames
bzip2
cabextract
capi4hylafax
cgiirc
cheesetracker
chmlib
chrony
citadel
clamav
collectd
courier
courier-authlib
cpio
crawl
cscope (653490)
ctorrent
curl
cyrus-imapd-2.2
devil
devscripts
dia
djbdns
dkim-milter
dovecot
dpkg
drbd8
dspam
e2fsprogs
ejabberd
ekg
emacs23
enscript
exiftags
exiv2
expat
fetchmail
file (653481)
firebird2.5
flex
fontforge
freeciv
freeradius
fuse
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gv
gzip
hashcash
heartbeat
hostapd
hplip
htdig
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpam-krb5
libpng
librpcsecgss
libsmi
libsndfile
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd
libxfont
libxml2
libxslt
lighttpd
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
lynx-cur
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd
mtr
multipath-tools
mutt
mysql-ocaml
icinga
nas
nbd
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
libreoffice
opensaml2
opensc
openssl (653495)
openswan
openvpn
oprofile
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
petris
pimd
pinball
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.6
python2.7
python3.2
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rdesktop (653498)
rssh
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
thttpd
tinymux
tinyproxy
tk8.4
tk8.5
tuxpaint
typespeed
unbound
unicon
unzip
util-linux
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmcd
xmlsec1
xml-security-c
xmltooling
xterm (653488)
zabbix
zodb
zoo


Packages using cdbs, which need additional fixes:
icedove


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9)
reprepro (4.5.0-1)
antiword (0.37-8)
wv2 (0.4.2.dfsg.1-5)


Hardening incomplete:
gtetrinet (653443)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apache2
apr
apr-util


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	jmm	17231	Hardening subgoal for Wheezy:
2			All packages, which had a DSA since 2006.
3
4	gilbert-guest	17234	Instructions:
5			- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	gilbert-guest	17235	- After NMUing a candidate where all build flags have been successfully enabled,
7			add it to the "Resolved/fixed:" list
8			- After NMUing a candidate with only some of the build flags enabled, add it to
9			the "Partially fixed: list (in order to remember what needs further work in the
10			future)
11	jmm	17351	- cdbs packages should be fixed automatically, but needs to be double-checked
12	jmm	17231
13
14	jmm	17351	Candidates:
15	jmm	17231
16			abcmidi
17	jmm	17891	acpid (653502)
18	jmm	17231	alsaplayer
19	jmm	17885	amarok (653354)
20	jmm	17891	amule (653503)
21	jmm	17893	apt (653504)
22	jmm	17231	asterisk
23	jmm	17892	audiofile (651029)
24	jmm	17231	avahi
25	jmm	17893	barnowl (653506)
26	jmm	17346	beid
27	jmm	17231	blender
28			bluez-hcidump
29			bochs
30			bsdgames
31			bzip2
32			cabextract
33			capi4hylafax
34			cgiirc
35			cheesetracker
36			chmlib
37			chrony
38			citadel
39			clamav
40			collectd
41			courier
42			courier-authlib
43			cpio
44			crawl
45	jmm	17889	cscope (653490)
46	jmm	17231	ctorrent
47			curl
48			cyrus-imapd-2.2
49			devil
50			devscripts
51			dia
52			djbdns
53			dkim-milter
54			dovecot
55			dpkg
56			drbd8
57			dspam
58			e2fsprogs
59			ejabberd
60			ekg
61	jmm	17284	emacs23
62	jmm	17231	enscript
63			exiftags
64			exiv2
65			expat
66			fetchmail
67	jmm	17886	file (653481)
68	jmm	17346	firebird2.5
69	jmm	17231	flex
70			fontforge
71			freeciv
72			freeradius
73			fuse
74	jmm	17346	ganglia
75	jmm	17285	eglibc
76			gmime2.4
77			pioneers
78	jmm	17231	gnumeric
79	jmm	17885	gnupg (653480)
80	jmm	17231	gv
81			gzip
82			hashcash
83			heartbeat
84			hostapd
85			hplip
86			htdig
87			httrack
88			hybserv
89			hylafax
90			iceape
91	jmm	17883	iceweasel (653191)
92	jmm	17231	id3lib3.8.3
93			imagemagick
94			imlib2
95			inotify-tools
96			ircd-hybrid
97			isakmpd
98			isc-dhcp
99			iscsitarget
100			kaffeine
101			kazehakase
102			kde4libs
103			kdebase
104			kdegraphics
105			kolab-cyrus-imapd
106			krb5
107			krb5-appl
108			ktorrent
109			kvirc
110			l2tpns
111			lasso
112			lcms
113			lftp
114			libapache2-mod-authnz-external
115			libapache2-mod-auth-pgsql
116			libapache-mod-auth-kerb
117			libapache-mod-jk
118			libarchive
119			libav
120	jmm	17347	cairo
121	jmm	17231	libcdaudio
122			libcgroup
123			libdbd-pg-perl
124			libdumb
125			libexif
126			libextractor
127			libfishsound
128			libhtml-parser-perl
129			libimager-perl
130			libmikmod
131			libmodplug
132			libnet-dns-perl
133			libpam-heimdal
134			libpam-krb5
135			libpng
136			librpcsecgss
137			libsmi
138			libsndfile
139			libtk-img
140			libtool
141			libtorrent-rasterbar
142			libtunepimp
143			libvorbis
144			libwpd
145			libxfont
146			libxml2
147			libxslt
148			lighttpd
149			links2
150			linux-ftpd
151			loop-aes-utils
152			ltsp
153			lurker
154			lvm2
155			lynx-cur
156			maildrop
157			mapserver
158			maradns
159			memcached
160			mimetex
161			mldonkey
162			mlmmj
163			mon
164			mono
165			mpg123
166			mplayer
167	jmm	17281	mplayer2
168	jmm	17348	forked-daapd
169	jmm	17231	mtr
170			multipath-tools
171			mutt
172			mysql-ocaml
173			icinga
174			nas
175			nbd
176			ndiswrapper
177			netpbm-free
178			netrik
179			net-snmp
180			newt
181			nginx
182			no-ip
183			noweb
184	jmm	17290	nsd3
185	jmm	17231	nspr
186			nss
187	jmm	17348	nss-pam-ldapd
188	jmm	17231	ntp
189			openafs
190			openexr
191			open-iscsi
192			openjdk-6
193			libreoffice
194			opensaml2
195			opensc
196	jmm	17889	openssl (653495)
197	jmm	17231	openswan
198			openvpn
199			oprofile
200			osiris
201			pam-pgsql
202			pcre3
203			pcsc-lite
204			pdns
205			pdns-recursor
206			perdition
207			perl
208			petris
209			pimd
210			pinball
211			pound
212			ppp
213			pptpd
214			proftpd-dfsg
215			psi
216			pstotext
217			pygresql
218	thijs	17273	python2.6
219			python2.7
220			python3.2
221	jmm	17231	python-cjson
222			qemu
223			qemu-kvm
224			qt4-x11
225			qt-x11-free
226	jmm	17889	rdesktop (653498)
227	jmm	17231	rssh
228	jmm	17802	rsync (652248)
229	jmm	17231	ruby-gnome2
230			sash
231			scponly
232			screen
233			sdl-image1.2
234			slurm-llnl
235			smstools
236			snmptrapfmt
237			socat
238			spamassassin
239			spamass-milter
240			speex
241			splitvt
242			squidguard
243			strongswan
244			subversion
245			sudo
246			suphp
247			syslog-ng
248			systemtap
249			tcpreen
250			telepathy-gabble
251			texinfo
252			tgt
253			thttpd
254			tinymux
255			tinyproxy
256			tk8.4
257	thijs	17273	tk8.5
258	jmm	17231	tuxpaint
259			typespeed
260			unbound
261			unicon
262			unzip
263			util-linux
264			vlc
265			vnc4
266			webcit
267			webkit
268			wesnoth
269			wget
270			wine
271			wml
272			wxwidgets2.6
273	thijs	17273	wxwidgets2.8
274	jmm	17231	wzdftpd
275			x11-xserver-utils
276			xapian-omega
277			xine-lib
278			xmcd
279			xmlsec1
280			xml-security-c
281			xmltooling
282	jmm	17888	xterm (653488)
283	jmm	17231	zabbix
284			zodb
285	thijs	17273	zoo
286
287
288	jmm	17772	Packages using cdbs, which need additional fixes:
289			icedove
290
291
292	jmm	17312	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
293	jmm	17286	the upload of dpkg/1.16.1:
294			koffice
295	jmm	17288	libspf2
296	jmm	17338	wordnet
297			sendmail
298	jmm	17349	afuse
299			bomberclone
300			camlimages
301			couchdb
302			crossfire
303			dvipng
304			eggdrop
305			gdm3
306			glib2.0
307			gnutls26
308			gst-plugins-bad0.10
309			gst-plugins-good0.10
310			heimdal
311			icu
312			jabberd14
313			libapache2-mod-fcgid
314			evince
315			libast
316			libgtop2
317			libnss-ldap
318			libpam-ldap
319			libsoup2.4
320			libtasn1-3
321			libtheora
322			libwmf
323			link-grammar
324			lsh-server
325			mediawiki
326			moin
327			pango1.0
328			pmount
329			polipo
330			poppler
331			postgresql-ocaml
332			pulseaudio
333			ruby1.8
334			ruby1.9.1
335			squid3
336			streamripper
337			sword
338			t1lib
339			unalz
340			uw-imap
341			vino
342	jmm	17280
343	jmm	17286
344	jmm	17719	Fixed:
345	jmm	17349	libvirt (0.9.6-1)
346			gimp (2.6.11-4)
347	jmm	17355	ghostscript (9.04~dfsg-1)
348	jmm	17719	samba (2:3.5.11~dfsg-2)
349			libgd2 (2.0.36~rc1~dfsg-6)
350	thijs	17649	sympa (6.1.7~dfsg-1)
351	thijs	17395	mailman (1:2.1.14-3)
352	jmm	17312	ncompress (4.2.4.4-3)
353	jmm	17344	xzgv (5.9-3)
354	jmm	17719	flac (1.2.1-6)
355	thijs	17673	xorg-server (2:1.11.1.901-1)
356	jmm	17719	openldap (2.4.25-4)
357			vim (2:7.3.346-1)
358			freetype (2.4.7-2)
359			python-crypto (2.4-1)
360			xorg-server (2:1.11.1.901-1)
361	gilbert-guest	17529	xpdf (3.03-7)
362	jmm	17772	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
363	jmm	17719	network-manager (0.9.1.95-1)
364			libmusicbrainz-2.1 (2.1_2.1.5-6.1)
365			tmux (1.6~svn2630-2)
366			tcpdump (4.2.0~rc1-2)
367			libthai (0.1.16-1)
368			git (1:1.7.7.2-1)
369			man-db (2.6.0.2-3)
370	jmm	17802	elinks (0.12~pre5-6)
371	jmm	17883	zgv (5.9-4)
372	jmm	17886	jasper (1.900.1-11)
373			xfs (1.0.8-7)
374	jmm	17888	fbi (2.07-9)
375	jmm	17889	reprepro (4.5.0-1)
376	jmm	17892	antiword (0.37-8)
377	jmm	17893	wv2 (0.4.2.dfsg.1-5)
378	jmm	17231
379	jmm	17312
380	jmm	17883
381	jmm	17888
382	jmm	17892
383	jmm	17893
384	jmm	17883	Hardening incomplete:
385			gtetrinet (653443)
386
387
388	jmm	17890	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
389			apache2
390			apr
391			apr-util
392	jmm	17883
393	jmm	17890
394
395	jmm	17291	Packages using hardening-wrapper/-includes (these are considered fixed, although
396	jmm	17289	switching them over to dpkg-buildflags might be worthwhile later on):
397	jmm	17291	netatalk
398			graphicsmagick
399			udev
400			xfce4-terminal
401			openssh
402			evolution
403			dbus
404			libgsf
405			tor
406			evolution-data-server
407	jmm	17289	cyrus-imapd-2.4
408			aria2
409			mysql-5.1
410			cups
411			wireshark
412			squid
413			exim4
414			php5
415			ipsec-tools
416			postgresql-8.4
417			postgresql-9.0
418			postgresql-9.1
419			gnupg2
420			nagios3
421			tiff
422			bind9
423			postfix
424			chromium-browser
425			pidgin
426			nagios-plugins
427			znc
428			cyrus-sasl2
429			ldns
430			quagga
431
432
433
434	jmm	17349
435
436
437	jmm	17354
438
439
440
441
442