secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2 (655164)
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
chrony (655123)
citadel (653514)
clamav (653958)
collectd (suggested removal in #654520)
courier-authlib
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
dspam (all changes present, fixed with next upload)
djbdns
dkim-milter
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
expat (653526)
file (653481)
flex
freeciv (654809)
freeradius
ganglia (655126)
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo (655128)
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
libpng (654149)
librpcsecgss (654808)
libsmi (654812)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2 (654903)
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop (655133)
mapserver
maradns
memcached (655134)
mimetex
mldonkey (655140)
mlmmj
mon (655137)
mono
mplayer
mplayer2
forked-daapd (654147)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan (655139)
openvpn (655130)
osiris (suggested removal in 655116)
pam-pgsql
pcre3
pdns
pdns-recursor
perdition
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext (655105)
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash (654909)
scponly
screen
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng (655163)
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget (654908)
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd (655141)
x11-xserver-utils
xapian-omega
xine-lib (655146)
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo
vsftpd (655103)


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
openexr
libtorrent-rasterbar
exiv2
libcdaudio
pcsc-lite


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender
cheesetracker

Packages using cmake, needs additional research:
kaffeine


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)
sdl-image1.2 (1.2.10-3)
mtr (0.82-2) (654117)
dia (0.97.2-4)


Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)
mpg123


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	jmm	17231	Hardening subgoal for Wheezy:
2			All packages, which had a DSA since 2006.
3
4	gilbert-guest	17234	Instructions:
5			- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	gilbert-guest	17235	- After NMUing a candidate where all build flags have been successfully enabled,
7			add it to the "Resolved/fixed:" list
8			- After NMUing a candidate with only some of the build flags enabled, add it to
9			the "Partially fixed: list (in order to remember what needs further work in the
10			future)
11	jmm	17351	- cdbs packages should be fixed automatically, but needs to be double-checked
12	jmm	17231
13
14	jmm	17351	Candidates:
15	jmm	17231
16	jmm	17891	acpid (653502)
17	jmm	18016	alsaplayer (654518)
18	jmm	17885	amarok (653354)
19	jmm	17893	apt (653504)
20	jmm	17965	asterisk (653944)
21			avahi (all changes present, fixed with next upload)
22	jmm	17893	barnowl (653506)
23	jmm	17970	beid (653956)
24	jmm	17895	bochs (653511)
25	jmm	18085	bzip2 (655164)
26	jmm	17901	capi4hylafax (653539)
27	jmm	17969	cgiirc (suggested removal in #653510)
28	jmm	18075	chrony (655123)
29	jmm	17895	citadel (653514)
30	jmm	17971	clamav (653958)
31	jmm	18016	collectd (suggested removal in #654520)
32	jmm	17231	courier-authlib
33	jmm	18024	cpio (654522)
34	jmm	17889	cscope (653490)
35	jmm	17900	ctorrent (653536)
36			devil (653535)
37	jmm	18025	dspam (all changes present, fixed with next upload)
38	jmm	17231	djbdns
39			dkim-milter
40	jmm	17899	dovecot (653530)
41	jmm	18016	drbd8 (currently broken: #654459)
42	jmm	18012	e2fsprogs (654457)
43	jmm	17231	ejabberd
44	jmm	17899	ekg (653531)
45	jmm	18074	emacs23 (655118)
46	jmm	17898	expat (653526)
47	jmm	17886	file (653481)
48	jmm	17231	flex
49	jmm	18048	freeciv (654809)
50	jmm	17231	freeradius
51	jmm	18075	ganglia (655126)
52	jmm	17285	eglibc
53			gmime2.4
54			pioneers
55	jmm	17231	gnumeric
56	jmm	17885	gnupg (653480)
57	jmm	17231	gzip
58			hashcash
59			heartbeat
60			hostapd
61			hplip
62			httrack
63			hybserv
64			hylafax
65			iceape
66	jmm	17883	iceweasel (653191)
67	jmm	17231	id3lib3.8.3
68			imagemagick
69			imlib2
70			inotify-tools
71			ircd-hybrid
72			isakmpd
73			iscsitarget
74			kazehakase
75			kde4libs
76			kdebase
77			kdegraphics
78	jmm	18023	kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
79	jmm	17231	krb5
80			krb5-appl
81			ktorrent
82			kvirc
83			l2tpns
84			lasso
85	jmm	18050	lcms (654821)
86	jmm	17231	lftp
87			libapache2-mod-authnz-external
88			libapache2-mod-auth-pgsql
89			libapache-mod-auth-kerb
90			libapache-mod-jk
91			libav
92	jmm	18076	cairo (655128)
93	jmm	18050	libcgroup (654819)
94	jmm	17231	libdbd-pg-perl
95			libdumb
96	jmm	17972	libexif (650998)
97	jmm	17231	libextractor
98			libfishsound
99			libhtml-parser-perl
100			libimager-perl
101			libmikmod
102	jmm	18049	libmodplug (654817)
103	jmm	17231	libnet-dns-perl
104	jmm	17983	libpng (654149)
105	jmm	18048	librpcsecgss (654808)
106			libsmi (654812)
107	jmm	17231	libtk-img
108			libtool
109	jmm	18052	libtunepimp (654832)
110	jmm	17231	libvorbis
111	jmm	17969	libwpd (653947)
112	jmm	17984	libxfont (654154)
113	jmm	18065	libxml2 (654903)
114	jmm	17231	libxslt
115	jmm	18047	links2 (654807)
116	jmm	17231	linux-ftpd
117			loop-aes-utils
118			ltsp
119			lurker
120			lvm2
121	jmm	18077	maildrop (655133)
122	jmm	17231	mapserver
123			maradns
124	jmm	18077	memcached (655134)
125	jmm	17231	mimetex
126	jmm	18079	mldonkey (655140)
127	jmm	17231	mlmmj
128	jmm	18078	mon (655137)
129	jmm	17231	mono
130			mplayer
131	jmm	17281	mplayer2
132	jmm	17982	forked-daapd (654147)
133	jmm	17231	multipath-tools
134	jmm	17983	mutt (654148)
135	jmm	17231	mysql-ocaml
136			icinga
137			nas
138	jmm	17970	nbd (653954)
139	jmm	17231	ndiswrapper
140			netpbm-free
141			netrik
142			net-snmp
143			newt
144			nginx
145			no-ip
146			noweb
147	jmm	17290	nsd3
148	jmm	17231	nspr
149			nss
150			ntp
151			openafs
152			open-iscsi
153			openjdk-6
154			libreoffice
155			opensaml2
156	jmm	17889	openssl (653495)
157	jmm	18079	openswan (655139)
158	jmm	18076	openvpn (655130)
159	jmm	18074	osiris (suggested removal in 655116)
160	jmm	17231	pam-pgsql
161			pcre3
162			pdns
163			pdns-recursor
164			perdition
165			perl
166			ppp
167			pptpd
168			proftpd-dfsg
169			psi
170	jmm	18072	pstotext (655105)
171	jmm	17231	pygresql
172	thijs	17273	python2.7
173			python3.2
174	jmm	18023	python3.3
175	jmm	17231	python-cjson
176			qemu
177			qemu-kvm
178			qt4-x11
179			qt-x11-free
180	jmm	17984	rssh (654155)
181	jmm	17802	rsync (652248)
182	jmm	17231	ruby-gnome2
183	jmm	18065	sash (654909)
184	jmm	17231	scponly
185			screen
186			slurm-llnl
187			smstools
188			snmptrapfmt
189	jmm	17984	socat (654152)
190	jmm	17231	spamassassin
191			spamass-milter
192			speex
193			splitvt
194			squidguard
195			strongswan
196			subversion
197			sudo
198			suphp
199	jmm	18084	syslog-ng (655163)
200	jmm	17231	systemtap
201			tcpreen
202			telepathy-gabble
203			texinfo
204			tgt
205			tinyproxy
206			tk8.4
207	thijs	17273	tk8.5
208	jmm	17231	unbound
209			unicon
210			unzip
211			vlc
212			vnc4
213			webcit
214			webkit
215			wesnoth
216	jmm	18065	wget (654908)
217	jmm	17231	wine
218			wml
219			wxwidgets2.6
220	thijs	17273	wxwidgets2.8
221	jmm	18080	wzdftpd (655141)
222	jmm	17231	x11-xserver-utils
223			xapian-omega
224	jmm	18081	xine-lib (655146)
225	jmm	17231	xmlsec1
226			xml-security-c
227			xmltooling
228			zabbix
229			zodb
230	thijs	17273	zoo
231	jmm	18072	vsftpd (655103)
232	thijs	17273
233
234	jmm	17985	Packages using dh, but which need additional multiarch changes for compat 9:
235			opensc
236	jmm	18053	openexr
237			libtorrent-rasterbar
238	jmm	18075	exiv2
239	jmm	18076	libcdaudio
240	jmm	18077	pcsc-lite
241	jmm	17985
242
243	jmm	17772	Packages using cdbs, which need additional fixes:
244			icedove
245
246	jmm	17965	Packages using Scons, needs additional research:
247			blender
248	jmm	18016	cheesetracker
249	jmm	17772
250	jmm	18073	Packages using cmake, needs additional research:
251			kaffeine
252	jmm	17965
253	jmm	18073
254	jmm	17312	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
255	jmm	17286	the upload of dpkg/1.16.1:
256			koffice
257	jmm	17288	libspf2
258	jmm	17338	wordnet
259			sendmail
260	jmm	17349	afuse
261			bomberclone
262			camlimages
263			couchdb
264			crossfire
265			dvipng
266			eggdrop
267			gdm3
268			glib2.0
269			gnutls26
270			gst-plugins-bad0.10
271			gst-plugins-good0.10
272			heimdal
273			icu
274			jabberd14
275			libapache2-mod-fcgid
276			evince
277			libast
278			libgtop2
279			libnss-ldap
280			libpam-ldap
281			libsoup2.4
282			libtasn1-3
283			libtheora
284			link-grammar
285			lsh-server
286			mediawiki
287			moin
288			pango1.0
289			pmount
290			polipo
291			poppler
292			postgresql-ocaml
293			pulseaudio
294			ruby1.8
295			ruby1.9.1
296			squid3
297			streamripper
298			sword
299			t1lib
300			unalz
301			uw-imap
302			vino
303	jmm	17280
304	jmm	17286
305	jmm	17719	Fixed:
306	jmm	17349	libvirt (0.9.6-1)
307			gimp (2.6.11-4)
308	jmm	17355	ghostscript (9.04~dfsg-1)
309	jmm	17719	samba (2:3.5.11~dfsg-2)
310			libgd2 (2.0.36~rc1~dfsg-6)
311	thijs	17649	sympa (6.1.7~dfsg-1)
312	thijs	17395	mailman (1:2.1.14-3)
313	jmm	17312	ncompress (4.2.4.4-3)
314	jmm	17344	xzgv (5.9-3)
315	jmm	17719	flac (1.2.1-6)
316	thijs	17673	xorg-server (2:1.11.1.901-1)
317	jmm	17719	openldap (2.4.25-4)
318			vim (2:7.3.346-1)
319			freetype (2.4.7-2)
320			python-crypto (2.4-1)
321			xorg-server (2:1.11.1.901-1)
322	gilbert-guest	17529	xpdf (3.03-7)
323	nion	17908	fetchmail (6.3.21-3)
324	jmm	17772	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
325	jmm	17719	network-manager (0.9.1.95-1)
326			libmusicbrainz-2.1 (2.1_2.1.5-6.1)
327			tmux (1.6~svn2630-2)
328			tcpdump (4.2.0~rc1-2)
329			libthai (0.1.16-1)
330			git (1:1.7.7.2-1)
331			man-db (2.6.0.2-3)
332	jmm	17802	elinks (0.12~pre5-6)
333	jmm	17883	zgv (5.9-4)
334	jmm	17886	jasper (1.900.1-11)
335			xfs (1.0.8-7)
336	jmm	17902	fbi (2.07-9)
337	jmm	17889	reprepro (4.5.0-1)
338	jmm	17902	antiword (0.37-8) (653499)
339	jmm	17893	wv2 (0.4.2.dfsg.1-5)
340	jmm	17896	dpkg (1.16.1)
341	jmm	17899	fuse (2.8.6-3)
342	jmm	17902	fontforge (0.0.20110222-6) (653534)
343	jmm	17917	apache2 (2.2.21-4)
344			cabextract (1.4-2) (653509)
345	jmm	17921	htdig (3.2.0b6-12)
346	jmm	17957	xterm (276-2) (653488)
347			enscript (1.6.5.90-2) (653528)
348			amule (2.3.1-2) (653503)
349	jmm	17969	gv (1:3.7.1-2)
350	jmm	17979	bluez-hcidump (2.1-2) (653507)
351	jmm	17998	lighttpd (1.4.30-1) (654151)
352	jmm	17996	pimd (2.1.8-2) (654081)
353			chmlib (2:0.40a-2) (653955)
354	jmm	18007	lynx-cur (6.6.7-4) (654097)
355	jmm	18016	rdesktop (1.7.0-2) (653498)
356	jmm	18023	libpam-krb5 (4.5-3) (654293)
357			curl (7.23.1-3) (654521)
358	jmm	18043	audiofile (0.3.2-1) (651029)
359	jmm	18047	libarchive (2.8.5-2)
360	jmm	18053	courier (0.66.3-2) (654794)
361	jmm	18062	libsndfile (1.0.25-4) (654831)
362	jmm	18064	libwmf (0.2.8.4-10)
363	jmm	18065	exiftags (1.01-5) (654804)
364	jmm	18073	nss-pam-ldapd (0.8.5)
365			isc-dhcp (4.2.2-2)
366	jmm	18080	sdl-image1.2 (1.2.10-3)
367	jmm	18082	mtr (0.82-2) (654117)
368	jmm	18084	dia (0.97.2-4)
369	jmm	17231
370	jmm	17312
371	jmm	18025
372	jmm	17883	Hardening incomplete:
373			gtetrinet (653443)
374	jmm	18046	firebird2.5 (654793)
375	jmm	17883
376
377	jmm	17890	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
378			apr
379			apr-util
380	jmm	18053	pound (654833)
381	jmm	18078	mpg123
382	jmm	17883
383	jmm	17890
384
385	jmm	17291	Packages using hardening-wrapper/-includes (these are considered fixed, although
386	jmm	17289	switching them over to dpkg-buildflags might be worthwhile later on):
387	jmm	17291	netatalk
388			graphicsmagick
389			udev
390			xfce4-terminal
391			openssh
392			evolution
393			dbus
394			libgsf
395			tor
396			evolution-data-server
397	jmm	17289	cyrus-imapd-2.4
398			aria2
399			mysql-5.1
400			cups
401			wireshark
402			squid
403			exim4
404			php5
405			ipsec-tools
406			postgresql-8.4
407			postgresql-9.0
408			postgresql-9.1
409			gnupg2
410			nagios3
411			tiff
412			bind9
413			postfix
414			chromium-browser
415			pidgin
416			nagios-plugins
417			znc
418			cyrus-sasl2
419			ldns
420			quagga
421
422
423
424	jmm	17349
425
426
427	jmm	17354
428
429
430
431
432