secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
chrony
citadel (653514)
clamav (653958)
collectd (suggested removal in #654520)
courier
courier-authlib
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
devscripts
dspam (all changes present, fixed with next upload)
djbdns
dkim-milter
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23
exiftags
exiv2
expat (653526)
file (653481)
firebird2.5
flex
freeciv
freeradius
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpng (654149)
librpcsecgss
libsmi
libsndfile
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd (653947)
libxfont (654154)
libxml2
libxslt
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd (654147)
mtr (654117)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan
openvpn
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinymux
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
dia


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender
cheesetracker


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)


Hardening incomplete:
gtetrinet (653443)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	jmm	17231	Hardening subgoal for Wheezy:
2			All packages, which had a DSA since 2006.
3
4	gilbert-guest	17234	Instructions:
5			- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	gilbert-guest	17235	- After NMUing a candidate where all build flags have been successfully enabled,
7			add it to the "Resolved/fixed:" list
8			- After NMUing a candidate with only some of the build flags enabled, add it to
9			the "Partially fixed: list (in order to remember what needs further work in the
10			future)
11	jmm	17351	- cdbs packages should be fixed automatically, but needs to be double-checked
12	jmm	17231
13
14	jmm	17351	Candidates:
15	jmm	17231
16	jmm	17891	acpid (653502)
17	jmm	18016	alsaplayer (654518)
18	jmm	17885	amarok (653354)
19	jmm	17893	apt (653504)
20	jmm	17965	asterisk (653944)
21			avahi (all changes present, fixed with next upload)
22	jmm	17893	barnowl (653506)
23	jmm	17970	beid (653956)
24	jmm	17895	bochs (653511)
25	jmm	17231	bzip2
26	jmm	17901	capi4hylafax (653539)
27	jmm	17969	cgiirc (suggested removal in #653510)
28	jmm	17231	chrony
29	jmm	17895	citadel (653514)
30	jmm	17971	clamav (653958)
31	jmm	18016	collectd (suggested removal in #654520)
32	jmm	17231	courier
33			courier-authlib
34	jmm	18024	cpio (654522)
35	jmm	17889	cscope (653490)
36	jmm	17900	ctorrent (653536)
37			devil (653535)
38	jmm	17231	devscripts
39	jmm	18025	dspam (all changes present, fixed with next upload)
40	jmm	17231	djbdns
41			dkim-milter
42	jmm	17899	dovecot (653530)
43	jmm	18016	drbd8 (currently broken: #654459)
44	jmm	18012	e2fsprogs (654457)
45	jmm	17231	ejabberd
46	jmm	17899	ekg (653531)
47	jmm	17284	emacs23
48	jmm	17231	exiftags
49			exiv2
50	jmm	17898	expat (653526)
51	jmm	17886	file (653481)
52	jmm	17346	firebird2.5
53	jmm	17231	flex
54			freeciv
55			freeradius
56	jmm	17346	ganglia
57	jmm	17285	eglibc
58			gmime2.4
59			pioneers
60	jmm	17231	gnumeric
61	jmm	17885	gnupg (653480)
62	jmm	17231	gzip
63			hashcash
64			heartbeat
65			hostapd
66			hplip
67			httrack
68			hybserv
69			hylafax
70			iceape
71	jmm	17883	iceweasel (653191)
72	jmm	17231	id3lib3.8.3
73			imagemagick
74			imlib2
75			inotify-tools
76			ircd-hybrid
77			isakmpd
78			isc-dhcp
79			iscsitarget
80			kaffeine
81			kazehakase
82			kde4libs
83			kdebase
84			kdegraphics
85	jmm	18023	kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
86	jmm	17231	krb5
87			krb5-appl
88			ktorrent
89			kvirc
90			l2tpns
91			lasso
92			lcms
93			lftp
94			libapache2-mod-authnz-external
95			libapache2-mod-auth-pgsql
96			libapache-mod-auth-kerb
97			libapache-mod-jk
98			libarchive
99			libav
100	jmm	17347	cairo
101	jmm	17231	libcdaudio
102			libcgroup
103			libdbd-pg-perl
104			libdumb
105	jmm	17972	libexif (650998)
106	jmm	17231	libextractor
107			libfishsound
108			libhtml-parser-perl
109			libimager-perl
110			libmikmod
111			libmodplug
112			libnet-dns-perl
113			libpam-heimdal
114	jmm	17983	libpng (654149)
115	jmm	17231	librpcsecgss
116			libsmi
117			libsndfile
118			libtk-img
119			libtool
120			libtorrent-rasterbar
121			libtunepimp
122			libvorbis
123	jmm	17969	libwpd (653947)
124	jmm	17984	libxfont (654154)
125	jmm	17231	libxml2
126			libxslt
127			links2
128			linux-ftpd
129			loop-aes-utils
130			ltsp
131			lurker
132			lvm2
133			maildrop
134			mapserver
135			maradns
136			memcached
137			mimetex
138			mldonkey
139			mlmmj
140			mon
141			mono
142			mpg123
143			mplayer
144	jmm	17281	mplayer2
145	jmm	17982	forked-daapd (654147)
146			mtr (654117)
147	jmm	17231	multipath-tools
148	jmm	17983	mutt (654148)
149	jmm	17231	mysql-ocaml
150			icinga
151			nas
152	jmm	17970	nbd (653954)
153	jmm	17231	ndiswrapper
154			netpbm-free
155			netrik
156			net-snmp
157			newt
158			nginx
159			no-ip
160			noweb
161	jmm	17290	nsd3
162	jmm	17231	nspr
163			nss
164	jmm	17348	nss-pam-ldapd
165	jmm	17231	ntp
166			openafs
167			openexr
168			open-iscsi
169			openjdk-6
170			libreoffice
171			opensaml2
172	jmm	17889	openssl (653495)
173	jmm	17231	openswan
174			openvpn
175			osiris
176			pam-pgsql
177			pcre3
178			pcsc-lite
179			pdns
180			pdns-recursor
181			perdition
182			perl
183			pound
184			ppp
185			pptpd
186			proftpd-dfsg
187			psi
188			pstotext
189			pygresql
190	thijs	17273	python2.7
191			python3.2
192	jmm	18023	python3.3
193	jmm	17231	python-cjson
194			qemu
195			qemu-kvm
196			qt4-x11
197			qt-x11-free
198	jmm	17984	rssh (654155)
199	jmm	17802	rsync (652248)
200	jmm	17231	ruby-gnome2
201			sash
202			scponly
203			screen
204			sdl-image1.2
205			slurm-llnl
206			smstools
207			snmptrapfmt
208	jmm	17984	socat (654152)
209	jmm	17231	spamassassin
210			spamass-milter
211			speex
212			splitvt
213			squidguard
214			strongswan
215			subversion
216			sudo
217			suphp
218			syslog-ng
219			systemtap
220			tcpreen
221			telepathy-gabble
222			texinfo
223			tgt
224			tinymux
225			tinyproxy
226			tk8.4
227	thijs	17273	tk8.5
228	jmm	17231	unbound
229			unicon
230			unzip
231			vlc
232			vnc4
233			webcit
234			webkit
235			wesnoth
236			wget
237			wine
238			wml
239			wxwidgets2.6
240	thijs	17273	wxwidgets2.8
241	jmm	17231	wzdftpd
242			x11-xserver-utils
243			xapian-omega
244			xine-lib
245			xmlsec1
246			xml-security-c
247			xmltooling
248			zabbix
249			zodb
250	thijs	17273	zoo
251
252
253	jmm	17985	Packages using dh, but which need additional multiarch changes for compat 9:
254			opensc
255			dia
256
257
258	jmm	17772	Packages using cdbs, which need additional fixes:
259			icedove
260
261	jmm	17965	Packages using Scons, needs additional research:
262			blender
263	jmm	18016	cheesetracker
264	jmm	17772
265	jmm	17965
266	jmm	17312	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
267	jmm	17286	the upload of dpkg/1.16.1:
268			koffice
269	jmm	17288	libspf2
270	jmm	17338	wordnet
271			sendmail
272	jmm	17349	afuse
273			bomberclone
274			camlimages
275			couchdb
276			crossfire
277			dvipng
278			eggdrop
279			gdm3
280			glib2.0
281			gnutls26
282			gst-plugins-bad0.10
283			gst-plugins-good0.10
284			heimdal
285			icu
286			jabberd14
287			libapache2-mod-fcgid
288			evince
289			libast
290			libgtop2
291			libnss-ldap
292			libpam-ldap
293			libsoup2.4
294			libtasn1-3
295			libtheora
296			libwmf
297			link-grammar
298			lsh-server
299			mediawiki
300			moin
301			pango1.0
302			pmount
303			polipo
304			poppler
305			postgresql-ocaml
306			pulseaudio
307			ruby1.8
308			ruby1.9.1
309			squid3
310			streamripper
311			sword
312			t1lib
313			unalz
314			uw-imap
315			vino
316	jmm	17280
317	jmm	17286
318	jmm	17719	Fixed:
319	jmm	17349	libvirt (0.9.6-1)
320			gimp (2.6.11-4)
321	jmm	17355	ghostscript (9.04~dfsg-1)
322	jmm	17719	samba (2:3.5.11~dfsg-2)
323			libgd2 (2.0.36~rc1~dfsg-6)
324	thijs	17649	sympa (6.1.7~dfsg-1)
325	thijs	17395	mailman (1:2.1.14-3)
326	jmm	17312	ncompress (4.2.4.4-3)
327	jmm	17344	xzgv (5.9-3)
328	jmm	17719	flac (1.2.1-6)
329	thijs	17673	xorg-server (2:1.11.1.901-1)
330	jmm	17719	openldap (2.4.25-4)
331			vim (2:7.3.346-1)
332			freetype (2.4.7-2)
333			python-crypto (2.4-1)
334			xorg-server (2:1.11.1.901-1)
335	gilbert-guest	17529	xpdf (3.03-7)
336	nion	17908	fetchmail (6.3.21-3)
337	jmm	17772	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
338	jmm	17719	network-manager (0.9.1.95-1)
339			libmusicbrainz-2.1 (2.1_2.1.5-6.1)
340			tmux (1.6~svn2630-2)
341			tcpdump (4.2.0~rc1-2)
342			libthai (0.1.16-1)
343			git (1:1.7.7.2-1)
344			man-db (2.6.0.2-3)
345	jmm	17802	elinks (0.12~pre5-6)
346	jmm	17883	zgv (5.9-4)
347	jmm	17886	jasper (1.900.1-11)
348			xfs (1.0.8-7)
349	jmm	17902	fbi (2.07-9)
350	jmm	17889	reprepro (4.5.0-1)
351	jmm	17902	antiword (0.37-8) (653499)
352	jmm	17893	wv2 (0.4.2.dfsg.1-5)
353	jmm	17896	dpkg (1.16.1)
354	jmm	17899	fuse (2.8.6-3)
355	jmm	17902	fontforge (0.0.20110222-6) (653534)
356	jmm	17917	apache2 (2.2.21-4)
357			cabextract (1.4-2) (653509)
358	jmm	17921	htdig (3.2.0b6-12)
359	jmm	17957	xterm (276-2) (653488)
360			enscript (1.6.5.90-2) (653528)
361			amule (2.3.1-2) (653503)
362	jmm	17969	gv (1:3.7.1-2)
363	jmm	17979	bluez-hcidump (2.1-2) (653507)
364	jmm	17998	lighttpd (1.4.30-1) (654151)
365	jmm	17996	pimd (2.1.8-2) (654081)
366			chmlib (2:0.40a-2) (653955)
367	jmm	18007	lynx-cur (6.6.7-4) (654097)
368	jmm	18016	rdesktop (1.7.0-2) (653498)
369	jmm	18023	libpam-krb5 (4.5-3) (654293)
370			curl (7.23.1-3) (654521)
371	jmm	18043	audiofile (0.3.2-1) (651029)
372	jmm	17231
373	jmm	17312
374	jmm	18025
375
376	jmm	17883	Hardening incomplete:
377			gtetrinet (653443)
378
379
380	jmm	17890	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
381			apr
382			apr-util
383	jmm	17883
384	jmm	17890
385
386	jmm	17291	Packages using hardening-wrapper/-includes (these are considered fixed, although
387	jmm	17289	switching them over to dpkg-buildflags might be worthwhile later on):
388	jmm	17291	netatalk
389			graphicsmagick
390			udev
391			xfce4-terminal
392			openssh
393			evolution
394			dbus
395			libgsf
396			tor
397			evolution-data-server
398	jmm	17289	cyrus-imapd-2.4
399			aria2
400			mysql-5.1
401			cups
402			wireshark
403			squid
404			exim4
405			php5
406			ipsec-tools
407			postgresql-8.4
408			postgresql-9.0
409			postgresql-9.1
410			gnupg2
411			nagios3
412			tiff
413			bind9
414			postfix
415			chromium-browser
416			pidgin
417			nagios-plugins
418			znc
419			cyrus-sasl2
420			ldns
421			quagga
422
423
424
425	jmm	17349
426
427
428	jmm	17354
429
430
431
432
433