secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

abcmidi
acpid (653502)
alsaplayer
amarok (653354)
amule (653503)
apt (653504)
asterisk
audiofile (651029)
avahi
barnowl (653506)
beid
blender
bluez-hcidump (653507)
bochs (653511)
bsdgames
bzip2
cabextract (653509)
capi4hylafax
cgiirc
cheesetracker
chmlib
chrony
citadel (653514)
clamav
collectd
courier
courier-authlib
cpio
crawl
cscope (653490)
ctorrent
curl
devil
devscripts
dia
djbdns
dkim-milter
dovecot (653530)
drbd8
dspam
e2fsprogs
ejabberd
ekg (653531)
emacs23
enscript (653528)
exiftags
exiv2
expat (653526)
fetchmail
file (653481)
firebird2.5
flex
fontforge
freeciv
freeradius
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gv
gzip
hashcash
heartbeat
hostapd
hplip
htdig
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpam-krb5
libpng
librpcsecgss
libsmi
libsndfile
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd
libxfont
libxml2
libxslt
lighttpd
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
lynx-cur
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd
mtr
multipath-tools
mutt
mysql-ocaml
icinga
nas
nbd
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
libreoffice
opensaml2
opensc
openssl (653495)
openswan
openvpn
oprofile
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
petris
pimd
pinball
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.6
python2.7
python3.2
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rdesktop (653498)
rssh
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
thttpd
tinymux
tinyproxy
tk8.4
tk8.5
tuxpaint
typespeed
unbound
unicon
unzip
util-linux
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmcd
xmlsec1
xml-security-c
xmltooling
xterm (653488)
zabbix
zodb
zoo


Packages using cdbs, which need additional fixes:
icedove


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9)
reprepro (4.5.0-1)
antiword (0.37-8)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)


Hardening incomplete:
gtetrinet (653443)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apache2
apr
apr-util


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	jmm	17231	Hardening subgoal for Wheezy:
2			All packages, which had a DSA since 2006.
3
4	gilbert-guest	17234	Instructions:
5			- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	gilbert-guest	17235	- After NMUing a candidate where all build flags have been successfully enabled,
7			add it to the "Resolved/fixed:" list
8			- After NMUing a candidate with only some of the build flags enabled, add it to
9			the "Partially fixed: list (in order to remember what needs further work in the
10			future)
11	jmm	17351	- cdbs packages should be fixed automatically, but needs to be double-checked
12	jmm	17231
13
14	jmm	17351	Candidates:
15	jmm	17231
16			abcmidi
17	jmm	17891	acpid (653502)
18	jmm	17231	alsaplayer
19	jmm	17885	amarok (653354)
20	jmm	17891	amule (653503)
21	jmm	17893	apt (653504)
22	jmm	17231	asterisk
23	jmm	17892	audiofile (651029)
24	jmm	17231	avahi
25	jmm	17893	barnowl (653506)
26	jmm	17346	beid
27	jmm	17231	blender
28	jmm	17894	bluez-hcidump (653507)
29	jmm	17895	bochs (653511)
30	jmm	17231	bsdgames
31			bzip2
32	jmm	17894	cabextract (653509)
33	jmm	17231	capi4hylafax
34			cgiirc
35			cheesetracker
36			chmlib
37			chrony
38	jmm	17895	citadel (653514)
39	jmm	17231	clamav
40			collectd
41			courier
42			courier-authlib
43			cpio
44			crawl
45	jmm	17889	cscope (653490)
46	jmm	17231	ctorrent
47			curl
48			devil
49			devscripts
50			dia
51			djbdns
52			dkim-milter
53	jmm	17899	dovecot (653530)
54	jmm	17231	drbd8
55			dspam
56			e2fsprogs
57			ejabberd
58	jmm	17899	ekg (653531)
59	jmm	17284	emacs23
60	jmm	17898	enscript (653528)
61	jmm	17231	exiftags
62			exiv2
63	jmm	17898	expat (653526)
64	jmm	17231	fetchmail
65	jmm	17886	file (653481)
66	jmm	17346	firebird2.5
67	jmm	17231	flex
68			fontforge
69			freeciv
70			freeradius
71	jmm	17346	ganglia
72	jmm	17285	eglibc
73			gmime2.4
74			pioneers
75	jmm	17231	gnumeric
76	jmm	17885	gnupg (653480)
77	jmm	17231	gv
78			gzip
79			hashcash
80			heartbeat
81			hostapd
82			hplip
83			htdig
84			httrack
85			hybserv
86			hylafax
87			iceape
88	jmm	17883	iceweasel (653191)
89	jmm	17231	id3lib3.8.3
90			imagemagick
91			imlib2
92			inotify-tools
93			ircd-hybrid
94			isakmpd
95			isc-dhcp
96			iscsitarget
97			kaffeine
98			kazehakase
99			kde4libs
100			kdebase
101			kdegraphics
102			kolab-cyrus-imapd
103			krb5
104			krb5-appl
105			ktorrent
106			kvirc
107			l2tpns
108			lasso
109			lcms
110			lftp
111			libapache2-mod-authnz-external
112			libapache2-mod-auth-pgsql
113			libapache-mod-auth-kerb
114			libapache-mod-jk
115			libarchive
116			libav
117	jmm	17347	cairo
118	jmm	17231	libcdaudio
119			libcgroup
120			libdbd-pg-perl
121			libdumb
122			libexif
123			libextractor
124			libfishsound
125			libhtml-parser-perl
126			libimager-perl
127			libmikmod
128			libmodplug
129			libnet-dns-perl
130			libpam-heimdal
131			libpam-krb5
132			libpng
133			librpcsecgss
134			libsmi
135			libsndfile
136			libtk-img
137			libtool
138			libtorrent-rasterbar
139			libtunepimp
140			libvorbis
141			libwpd
142			libxfont
143			libxml2
144			libxslt
145			lighttpd
146			links2
147			linux-ftpd
148			loop-aes-utils
149			ltsp
150			lurker
151			lvm2
152			lynx-cur
153			maildrop
154			mapserver
155			maradns
156			memcached
157			mimetex
158			mldonkey
159			mlmmj
160			mon
161			mono
162			mpg123
163			mplayer
164	jmm	17281	mplayer2
165	jmm	17348	forked-daapd
166	jmm	17231	mtr
167			multipath-tools
168			mutt
169			mysql-ocaml
170			icinga
171			nas
172			nbd
173			ndiswrapper
174			netpbm-free
175			netrik
176			net-snmp
177			newt
178			nginx
179			no-ip
180			noweb
181	jmm	17290	nsd3
182	jmm	17231	nspr
183			nss
184	jmm	17348	nss-pam-ldapd
185	jmm	17231	ntp
186			openafs
187			openexr
188			open-iscsi
189			openjdk-6
190			libreoffice
191			opensaml2
192			opensc
193	jmm	17889	openssl (653495)
194	jmm	17231	openswan
195			openvpn
196			oprofile
197			osiris
198			pam-pgsql
199			pcre3
200			pcsc-lite
201			pdns
202			pdns-recursor
203			perdition
204			perl
205			petris
206			pimd
207			pinball
208			pound
209			ppp
210			pptpd
211			proftpd-dfsg
212			psi
213			pstotext
214			pygresql
215	thijs	17273	python2.6
216			python2.7
217			python3.2
218	jmm	17231	python-cjson
219			qemu
220			qemu-kvm
221			qt4-x11
222			qt-x11-free
223	jmm	17889	rdesktop (653498)
224	jmm	17231	rssh
225	jmm	17802	rsync (652248)
226	jmm	17231	ruby-gnome2
227			sash
228			scponly
229			screen
230			sdl-image1.2
231			slurm-llnl
232			smstools
233			snmptrapfmt
234			socat
235			spamassassin
236			spamass-milter
237			speex
238			splitvt
239			squidguard
240			strongswan
241			subversion
242			sudo
243			suphp
244			syslog-ng
245			systemtap
246			tcpreen
247			telepathy-gabble
248			texinfo
249			tgt
250			thttpd
251			tinymux
252			tinyproxy
253			tk8.4
254	thijs	17273	tk8.5
255	jmm	17231	tuxpaint
256			typespeed
257			unbound
258			unicon
259			unzip
260			util-linux
261			vlc
262			vnc4
263			webcit
264			webkit
265			wesnoth
266			wget
267			wine
268			wml
269			wxwidgets2.6
270	thijs	17273	wxwidgets2.8
271	jmm	17231	wzdftpd
272			x11-xserver-utils
273			xapian-omega
274			xine-lib
275			xmcd
276			xmlsec1
277			xml-security-c
278			xmltooling
279	jmm	17888	xterm (653488)
280	jmm	17231	zabbix
281			zodb
282	thijs	17273	zoo
283
284
285	jmm	17772	Packages using cdbs, which need additional fixes:
286			icedove
287
288
289	jmm	17312	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
290	jmm	17286	the upload of dpkg/1.16.1:
291			koffice
292	jmm	17288	libspf2
293	jmm	17338	wordnet
294			sendmail
295	jmm	17349	afuse
296			bomberclone
297			camlimages
298			couchdb
299			crossfire
300			dvipng
301			eggdrop
302			gdm3
303			glib2.0
304			gnutls26
305			gst-plugins-bad0.10
306			gst-plugins-good0.10
307			heimdal
308			icu
309			jabberd14
310			libapache2-mod-fcgid
311			evince
312			libast
313			libgtop2
314			libnss-ldap
315			libpam-ldap
316			libsoup2.4
317			libtasn1-3
318			libtheora
319			libwmf
320			link-grammar
321			lsh-server
322			mediawiki
323			moin
324			pango1.0
325			pmount
326			polipo
327			poppler
328			postgresql-ocaml
329			pulseaudio
330			ruby1.8
331			ruby1.9.1
332			squid3
333			streamripper
334			sword
335			t1lib
336			unalz
337			uw-imap
338			vino
339	jmm	17280
340	jmm	17286
341	jmm	17719	Fixed:
342	jmm	17349	libvirt (0.9.6-1)
343			gimp (2.6.11-4)
344	jmm	17355	ghostscript (9.04~dfsg-1)
345	jmm	17719	samba (2:3.5.11~dfsg-2)
346			libgd2 (2.0.36~rc1~dfsg-6)
347	thijs	17649	sympa (6.1.7~dfsg-1)
348	thijs	17395	mailman (1:2.1.14-3)
349	jmm	17312	ncompress (4.2.4.4-3)
350	jmm	17344	xzgv (5.9-3)
351	jmm	17719	flac (1.2.1-6)
352	thijs	17673	xorg-server (2:1.11.1.901-1)
353	jmm	17719	openldap (2.4.25-4)
354			vim (2:7.3.346-1)
355			freetype (2.4.7-2)
356			python-crypto (2.4-1)
357			xorg-server (2:1.11.1.901-1)
358	gilbert-guest	17529	xpdf (3.03-7)
359	jmm	17772	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
360	jmm	17719	network-manager (0.9.1.95-1)
361			libmusicbrainz-2.1 (2.1_2.1.5-6.1)
362			tmux (1.6~svn2630-2)
363			tcpdump (4.2.0~rc1-2)
364			libthai (0.1.16-1)
365			git (1:1.7.7.2-1)
366			man-db (2.6.0.2-3)
367	jmm	17802	elinks (0.12~pre5-6)
368	jmm	17883	zgv (5.9-4)
369	jmm	17886	jasper (1.900.1-11)
370			xfs (1.0.8-7)
371	jmm	17888	fbi (2.07-9)
372	jmm	17889	reprepro (4.5.0-1)
373	jmm	17892	antiword (0.37-8)
374	jmm	17893	wv2 (0.4.2.dfsg.1-5)
375	jmm	17896	dpkg (1.16.1)
376	jmm	17899	fuse (2.8.6-3)
377	jmm	17231
378	jmm	17312
379	jmm	17883
380	jmm	17888
381	jmm	17892
382	jmm	17883	Hardening incomplete:
383			gtetrinet (653443)
384
385
386	jmm	17890	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
387			apache2
388			apr
389			apr-util
390	jmm	17883
391	jmm	17890
392
393	jmm	17291	Packages using hardening-wrapper/-includes (these are considered fixed, although
394	jmm	17289	switching them over to dpkg-buildflags might be worthwhile later on):
395	jmm	17291	netatalk
396			graphicsmagick
397			udev
398			xfce4-terminal
399			openssh
400			evolution
401			dbus
402			libgsf
403			tor
404			evolution-data-server
405	jmm	17289	cyrus-imapd-2.4
406			aria2
407			mysql-5.1
408			cups
409			wireshark
410			squid
411			exim4
412			php5
413			ipsec-tools
414			postgresql-8.4
415			postgresql-9.0
416			postgresql-9.1
417			gnupg2
418			nagios3
419			tiff
420			bind9
421			postfix
422			chromium-browser
423			pidgin
424			nagios-plugins
425			znc
426			cyrus-sasl2
427			ldns
428			quagga
429
430
431
432	jmm	17349
433
434
435	jmm	17354
436
437
438
439
440