secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2 (655164)
capi4hylafax (653539)
chrony (655123)
citadel (653514)
clamav (653958)
courier-authlib (655168)
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
dspam (655189)
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
expat (653526)
file (653481)
flex (655414)
freeciv (654809)
freeradius
ganglia (655126)
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hylafax
iceape
iceweasel (653191)
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
krb5 (655248)
krb5-appl
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo (655128)
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
librpcsecgss (654808)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2 (654903)
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop (655133)
mapserver
maradns
memcached (655134)
mimetex
mlmmj
mono
mplayer
mplayer2
forked-daapd (654147)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper (655249)
netpbm-free
netrik
net-snmp
newt
nginx
noweb
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan (655139)
openvpn (655130)
pam-pgsql
pcre3
pdns
pdns-recursor
perdition (655412)
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext (655105)
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2 (655415)
sash (654909)
scponly
screen
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo (655417)
suphp (655419)
syslog-ng (655163)
systemtap
tcpreen (655250)
telepathy-gabble
texinfo
tgt
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget (654908)
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd (655141)
x11-xserver-utils
xapian-omega
xine-lib (655146)
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo
vsftpd (655103)
collectd


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
openexr
libtorrent-rasterbar
exiv2
libcdaudio
pcsc-lite
id3lib3.8.3


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender

Packages using cmake, needs additional research:
kaffeine
kdebase
kde4libs
kdegraphics
ktorrent
kvirc


Packages, which should rather be removed than hardened:
cgiirc (suggested removal in #653510)
djbdns
dkim-milter (currently broken, dropped from testing: #629663)
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
osiris (suggested removal in 655116)


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)
sdl-image1.2 (1.2.10-3)
mtr (0.82-2) (654117)
dia (0.97.2-4)
libpng (1.2.46-4) (654149)
mldonkey (3.1.0-3) (655140)
avahi (0.6.30-6) (655188)
mon (1.2.0-5) (655137)
acpid (1:2.0.14-2) (653502)
libsmi (0.4.8+dfsg2-5) (654812)


Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)
mpg123


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga
nsd3


1	jmm	17231	Hardening subgoal for Wheezy:
2			All packages, which had a DSA since 2006.
3
4	gilbert-guest	17234	Instructions:
5			- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	gilbert-guest	17235	- After NMUing a candidate where all build flags have been successfully enabled,
7			add it to the "Resolved/fixed:" list
8			- After NMUing a candidate with only some of the build flags enabled, add it to
9			the "Partially fixed: list (in order to remember what needs further work in the
10			future)
11	jmm	17351	- cdbs packages should be fixed automatically, but needs to be double-checked
12	jmm	17231
13
14	jmm	17351	Candidates:
15	jmm	17231
16	jmm	18016	alsaplayer (654518)
17	jmm	17885	amarok (653354)
18	jmm	17893	apt (653504)
19	jmm	17965	asterisk (653944)
20	jmm	17893	barnowl (653506)
21	jmm	17970	beid (653956)
22	jmm	17895	bochs (653511)
23	jmm	18085	bzip2 (655164)
24	jmm	17901	capi4hylafax (653539)
25	jmm	18075	chrony (655123)
26	jmm	17895	citadel (653514)
27	jmm	17971	clamav (653958)
28	jmm	18090	courier-authlib (655168)
29	jmm	18024	cpio (654522)
30	jmm	17889	cscope (653490)
31	jmm	17900	ctorrent (653536)
32			devil (653535)
33	jmm	18091	dspam (655189)
34	jmm	17899	dovecot (653530)
35	jmm	18016	drbd8 (currently broken: #654459)
36	jmm	18012	e2fsprogs (654457)
37	jmm	17231	ejabberd
38	jmm	17899	ekg (653531)
39	jmm	18074	emacs23 (655118)
40	jmm	17898	expat (653526)
41	jmm	17886	file (653481)
42	jmm	18113	flex (655414)
43	jmm	18048	freeciv (654809)
44	jmm	17231	freeradius
45	jmm	18075	ganglia (655126)
46	jmm	17285	eglibc
47			gmime2.4
48			pioneers
49	jmm	17231	gnumeric
50	jmm	17885	gnupg (653480)
51	jmm	17231	gzip
52			hashcash
53			heartbeat
54			hostapd
55			hplip
56			httrack
57			hylafax
58			iceape
59	jmm	17883	iceweasel (653191)
60	jmm	17231	imagemagick
61			imlib2
62			inotify-tools
63			ircd-hybrid
64			isakmpd
65			iscsitarget
66			kazehakase
67	jmm	18098	krb5 (655248)
68	jmm	17231	krb5-appl
69			l2tpns
70			lasso
71	jmm	18050	lcms (654821)
72	jmm	17231	lftp
73			libapache2-mod-authnz-external
74			libapache2-mod-auth-pgsql
75			libapache-mod-auth-kerb
76			libapache-mod-jk
77			libav
78	jmm	18076	cairo (655128)
79	jmm	18050	libcgroup (654819)
80	jmm	17231	libdbd-pg-perl
81			libdumb
82	jmm	17972	libexif (650998)
83	jmm	17231	libextractor
84			libfishsound
85			libhtml-parser-perl
86			libimager-perl
87			libmikmod
88	jmm	18049	libmodplug (654817)
89	jmm	17231	libnet-dns-perl
90	jmm	18048	librpcsecgss (654808)
91	jmm	17231	libtk-img
92			libtool
93	jmm	18052	libtunepimp (654832)
94	jmm	17231	libvorbis
95	jmm	17969	libwpd (653947)
96	jmm	17984	libxfont (654154)
97	jmm	18065	libxml2 (654903)
98	jmm	17231	libxslt
99	jmm	18047	links2 (654807)
100	jmm	17231	linux-ftpd
101			loop-aes-utils
102			ltsp
103			lurker
104			lvm2
105	jmm	18077	maildrop (655133)
106	jmm	17231	mapserver
107			maradns
108	jmm	18077	memcached (655134)
109	jmm	17231	mimetex
110			mlmmj
111			mono
112			mplayer
113	jmm	17281	mplayer2
114	jmm	17982	forked-daapd (654147)
115	jmm	17231	multipath-tools
116	jmm	17983	mutt (654148)
117	jmm	17231	mysql-ocaml
118			icinga
119			nas
120	jmm	17970	nbd (653954)
121	jmm	18098	ndiswrapper (655249)
122	jmm	17231	netpbm-free
123			netrik
124			net-snmp
125			newt
126			nginx
127			noweb
128			nspr
129			nss
130			ntp
131			openafs
132			open-iscsi
133			openjdk-6
134			libreoffice
135			opensaml2
136	jmm	17889	openssl (653495)
137	jmm	18079	openswan (655139)
138	jmm	18076	openvpn (655130)
139	jmm	17231	pam-pgsql
140			pcre3
141			pdns
142			pdns-recursor
143	jmm	18113	perdition (655412)
144	jmm	17231	perl
145			ppp
146			pptpd
147			proftpd-dfsg
148			psi
149	jmm	18072	pstotext (655105)
150	jmm	17231	pygresql
151	thijs	17273	python2.7
152			python3.2
153	jmm	18023	python3.3
154	jmm	17231	python-cjson
155			qemu
156			qemu-kvm
157			qt4-x11
158			qt-x11-free
159	jmm	17984	rssh (654155)
160	jmm	17802	rsync (652248)
161	jmm	18114	ruby-gnome2 (655415)
162	jmm	18065	sash (654909)
163	jmm	17231	scponly
164			screen
165			slurm-llnl
166			smstools
167			snmptrapfmt
168	jmm	17984	socat (654152)
169	jmm	17231	spamassassin
170			spamass-milter
171			speex
172			splitvt
173			squidguard
174			strongswan
175			subversion
176	jmm	18114	sudo (655417)
177	jmm	18121	suphp (655419)
178	jmm	18084	syslog-ng (655163)
179	jmm	17231	systemtap
180	jmm	18101	tcpreen (655250)
181	jmm	17231	telepathy-gabble
182			texinfo
183			tgt
184			tinyproxy
185			tk8.4
186	thijs	17273	tk8.5
187	jmm	17231	unbound
188			unicon
189			unzip
190			vlc
191			vnc4
192			webcit
193			webkit
194			wesnoth
195	jmm	18065	wget (654908)
196	jmm	17231	wine
197			wml
198			wxwidgets2.6
199	thijs	17273	wxwidgets2.8
200	jmm	18080	wzdftpd (655141)
201	jmm	17231	x11-xserver-utils
202			xapian-omega
203	jmm	18081	xine-lib (655146)
204	jmm	17231	xmlsec1
205			xml-security-c
206			xmltooling
207			zabbix
208			zodb
209	thijs	17273	zoo
210	jmm	18072	vsftpd (655103)
211	jmm	18095	collectd
212	thijs	17273
213
214	jmm	17985	Packages using dh, but which need additional multiarch changes for compat 9:
215			opensc
216	jmm	18053	openexr
217			libtorrent-rasterbar
218	jmm	18075	exiv2
219	jmm	18076	libcdaudio
220	jmm	18077	pcsc-lite
221	jmm	18101	id3lib3.8.3
222	jmm	17985
223
224	jmm	17772	Packages using cdbs, which need additional fixes:
225			icedove
226
227	jmm	17965	Packages using Scons, needs additional research:
228			blender
229	jmm	17772
230	jmm	18073	Packages using cmake, needs additional research:
231			kaffeine
232	jmm	18095	kdebase
233			kde4libs
234			kdegraphics
235			ktorrent
236			kvirc
237	jmm	17965
238	jmm	18073
239	jmm	18090	Packages, which should rather be removed than hardened:
240			cgiirc (suggested removal in #653510)
241			djbdns
242			dkim-milter (currently broken, dropped from testing: #629663)
243			kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
244			osiris (suggested removal in 655116)
245
246
247
248	jmm	17312	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
249	jmm	17286	the upload of dpkg/1.16.1:
250			koffice
251	jmm	17288	libspf2
252	jmm	17338	wordnet
253			sendmail
254	jmm	17349	afuse
255			bomberclone
256			camlimages
257			couchdb
258			crossfire
259			dvipng
260			eggdrop
261			gdm3
262			glib2.0
263			gnutls26
264			gst-plugins-bad0.10
265			gst-plugins-good0.10
266			heimdal
267			icu
268			jabberd14
269			libapache2-mod-fcgid
270			evince
271			libast
272			libgtop2
273			libnss-ldap
274			libpam-ldap
275			libsoup2.4
276			libtasn1-3
277			libtheora
278			link-grammar
279			lsh-server
280			mediawiki
281			moin
282			pango1.0
283			pmount
284			polipo
285			poppler
286			postgresql-ocaml
287			pulseaudio
288			ruby1.8
289			ruby1.9.1
290			squid3
291			streamripper
292			sword
293			t1lib
294			unalz
295			uw-imap
296			vino
297	jmm	17280
298	jmm	17286
299	jmm	17719	Fixed:
300	jmm	17349	libvirt (0.9.6-1)
301			gimp (2.6.11-4)
302	jmm	17355	ghostscript (9.04~dfsg-1)
303	jmm	17719	samba (2:3.5.11~dfsg-2)
304			libgd2 (2.0.36~rc1~dfsg-6)
305	thijs	17649	sympa (6.1.7~dfsg-1)
306	thijs	17395	mailman (1:2.1.14-3)
307	jmm	17312	ncompress (4.2.4.4-3)
308	jmm	17344	xzgv (5.9-3)
309	jmm	17719	flac (1.2.1-6)
310	thijs	17673	xorg-server (2:1.11.1.901-1)
311	jmm	17719	openldap (2.4.25-4)
312			vim (2:7.3.346-1)
313			freetype (2.4.7-2)
314			python-crypto (2.4-1)
315			xorg-server (2:1.11.1.901-1)
316	gilbert-guest	17529	xpdf (3.03-7)
317	nion	17908	fetchmail (6.3.21-3)
318	jmm	17772	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
319	jmm	17719	network-manager (0.9.1.95-1)
320			libmusicbrainz-2.1 (2.1_2.1.5-6.1)
321			tmux (1.6~svn2630-2)
322			tcpdump (4.2.0~rc1-2)
323			libthai (0.1.16-1)
324			git (1:1.7.7.2-1)
325			man-db (2.6.0.2-3)
326	jmm	17802	elinks (0.12~pre5-6)
327	jmm	17883	zgv (5.9-4)
328	jmm	17886	jasper (1.900.1-11)
329			xfs (1.0.8-7)
330	jmm	17902	fbi (2.07-9)
331	jmm	17889	reprepro (4.5.0-1)
332	jmm	17902	antiword (0.37-8) (653499)
333	jmm	17893	wv2 (0.4.2.dfsg.1-5)
334	jmm	17896	dpkg (1.16.1)
335	jmm	17899	fuse (2.8.6-3)
336	jmm	17902	fontforge (0.0.20110222-6) (653534)
337	jmm	17917	apache2 (2.2.21-4)
338			cabextract (1.4-2) (653509)
339	jmm	17921	htdig (3.2.0b6-12)
340	jmm	17957	xterm (276-2) (653488)
341			enscript (1.6.5.90-2) (653528)
342			amule (2.3.1-2) (653503)
343	jmm	17969	gv (1:3.7.1-2)
344	jmm	17979	bluez-hcidump (2.1-2) (653507)
345	jmm	17998	lighttpd (1.4.30-1) (654151)
346	jmm	17996	pimd (2.1.8-2) (654081)
347			chmlib (2:0.40a-2) (653955)
348	jmm	18007	lynx-cur (6.6.7-4) (654097)
349	jmm	18016	rdesktop (1.7.0-2) (653498)
350	jmm	18023	libpam-krb5 (4.5-3) (654293)
351			curl (7.23.1-3) (654521)
352	jmm	18043	audiofile (0.3.2-1) (651029)
353	jmm	18047	libarchive (2.8.5-2)
354	jmm	18053	courier (0.66.3-2) (654794)
355	jmm	18062	libsndfile (1.0.25-4) (654831)
356	jmm	18064	libwmf (0.2.8.4-10)
357	jmm	18065	exiftags (1.01-5) (654804)
358	jmm	18073	nss-pam-ldapd (0.8.5)
359			isc-dhcp (4.2.2-2)
360	jmm	18080	sdl-image1.2 (1.2.10-3)
361	jmm	18082	mtr (0.82-2) (654117)
362	jmm	18084	dia (0.97.2-4)
363	jmm	18095	libpng (1.2.46-4) (654149)
364	jmm	18101	mldonkey (3.1.0-3) (655140)
365			avahi (0.6.30-6) (655188)
366	jmm	18106	mon (1.2.0-5) (655137)
367	jmm	18107	acpid (1:2.0.14-2) (653502)
368			libsmi (0.4.8+dfsg2-5) (654812)
369	jmm	17231
370	jmm	17312
371	jmm	18025
372	jmm	18107
373
374	jmm	17883	Hardening incomplete:
375			gtetrinet (653443)
376	jmm	18046	firebird2.5 (654793)
377	jmm	17883
378
379	jmm	17890	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
380			apr
381			apr-util
382	jmm	18053	pound (654833)
383	jmm	18078	mpg123
384	jmm	17883
385	jmm	17890
386
387	jmm	17291	Packages using hardening-wrapper/-includes (these are considered fixed, although
388	jmm	17289	switching them over to dpkg-buildflags might be worthwhile later on):
389	jmm	17291	netatalk
390			graphicsmagick
391			udev
392			xfce4-terminal
393			openssh
394			evolution
395			dbus
396			libgsf
397			tor
398			evolution-data-server
399	jmm	17289	cyrus-imapd-2.4
400			aria2
401			mysql-5.1
402			cups
403			wireshark
404			squid
405			exim4
406			php5
407			ipsec-tools
408			postgresql-8.4
409			postgresql-9.0
410			postgresql-9.1
411			gnupg2
412			nagios3
413			tiff
414			bind9
415			postfix
416			chromium-browser
417			pidgin
418			nagios-plugins
419			znc
420			cyrus-sasl2
421			ldns
422			quagga
423	jmm	18113	nsd3
424	jmm	17289
425
426
427	jmm	17349
428
429
430	jmm	17354
431
432
433
434
435