secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

abcmidi
acpid
alsaplayer
amarok
amule
antiword
apache2
apr
apr-util
apt
asterisk
audiofile
avahi
barnowl
beid
blender
bluez-hcidump
bochs
bsdgames
bzip2
cabextract
capi4hylafax
cgiirc
cheesetracker
chmlib
chrony
citadel
clamav
collectd
courier
courier-authlib
cpio
crawl
cscope
ctorrent
curl
cyrus-imapd-2.2
devil
devscripts
dia
djbdns
dkim-milter
dovecot
dpkg
drbd8
dspam
e2fsprogs
ejabberd
ekg
elinks
emacs23
enscript
exiftags
exiv2
expat
fbi
fetchmail
file
firebird2.5
flac
flex
fontforge
freeciv
freeradius
freetype
fuse
ganglia
git-core
eglibc
gmime2.4
pioneers
gnumeric
gnupg
gv
gzip
hashcash
heartbeat
hostapd
hplip
htdig
httrack
hybserv
hylafax
iceape
iceweasel
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
jasper
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpam-krb5
libpng
librpcsecgss
libsmi
libsndfile
libthai
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd
libxfont
libxml2
libxslt
lighttpd
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
lynx-cur
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd
mtr
multipath-tools
mutt
mysql-ocaml
icinga
nas
nbd
ndiswrapper
netpbm-free
netrik
net-snmp
network-manager
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
openldap
libreoffice
opensaml2
opensc
openssl
openswan
openvpn
oprofile
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
petris
pimd
pinball
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.6
python2.7
python3.2
python-cjson
python-crypto
qemu
qemu-kvm
qt4-x11
qt-x11-free
rdesktop
reprepro
rssh
rsync
ruby-gnome2
samba
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
thttpd
tinymux
tinyproxy
tk8.4
tk8.5
tuxpaint
typespeed
unbound
unicon
unzip
util-linux
vim
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wv2
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xfs
xine-lib
xmcd
xmlsec1
xml-security-c
xmltooling
xorg-server
xpdf
xterm
zabbix
zgv
zodb
zoo


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
kphone
libgd2
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
gtetrinet
heimdal
icedove
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
sympa (#644827)
t1lib
unalz
uw-imap
vino


Partially fixed:
libmusicbrainz-2.1 (2.1_2.1.5-6.1) (znow missing)


Fixed through cdbs (log or pkg should be checked, before moving to
Resolved/fixed, since some Makefile or buildsystem foo might reset
flags)
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)


Resolved/fixed: (should be double-checked with hardening-check from
hardening-includes before moving it here):
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
tmux
netatalk
man-db
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
tcpdump
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	abcmidi
17	acpid
18	alsaplayer
19	amarok
20	amule
21	antiword
22	apache2
23	apr
24	apr-util
25	apt
26	asterisk
27	audiofile
28	avahi
29	barnowl
30	beid
31	blender
32	bluez-hcidump
33	bochs
34	bsdgames
35	bzip2
36	cabextract
37	capi4hylafax
38	cgiirc
39	cheesetracker
40	chmlib
41	chrony
42	citadel
43	clamav
44	collectd
45	courier
46	courier-authlib
47	cpio
48	crawl
49	cscope
50	ctorrent
51	curl
52	cyrus-imapd-2.2
53	devil
54	devscripts
55	dia
56	djbdns
57	dkim-milter
58	dovecot
59	dpkg
60	drbd8
61	dspam
62	e2fsprogs
63	ejabberd
64	ekg
65	elinks
66	emacs23
67	enscript
68	exiftags
69	exiv2
70	expat
71	fbi
72	fetchmail
73	file
74	firebird2.5
75	flac
76	flex
77	fontforge
78	freeciv
79	freeradius
80	freetype
81	fuse
82	ganglia
83	git-core
84	eglibc
85	gmime2.4
86	pioneers
87	gnumeric
88	gnupg
89	gv
90	gzip
91	hashcash
92	heartbeat
93	hostapd
94	hplip
95	htdig
96	httrack
97	hybserv
98	hylafax
99	iceape
100	iceweasel
101	id3lib3.8.3
102	imagemagick
103	imlib2
104	inotify-tools
105	ircd-hybrid
106	isakmpd
107	isc-dhcp
108	iscsitarget
109	jasper
110	kaffeine
111	kazehakase
112	kde4libs
113	kdebase
114	kdegraphics
115	kolab-cyrus-imapd
116	krb5
117	krb5-appl
118	ktorrent
119	kvirc
120	l2tpns
121	lasso
122	lcms
123	lftp
124	libapache2-mod-authnz-external
125	libapache2-mod-auth-pgsql
126	libapache-mod-auth-kerb
127	libapache-mod-jk
128	libarchive
129	libav
130	cairo
131	libcdaudio
132	libcgroup
133	libdbd-pg-perl
134	libdumb
135	libexif
136	libextractor
137	libfishsound
138	libhtml-parser-perl
139	libimager-perl
140	libmikmod
141	libmodplug
142	libnet-dns-perl
143	libpam-heimdal
144	libpam-krb5
145	libpng
146	librpcsecgss
147	libsmi
148	libsndfile
149	libthai
150	libtk-img
151	libtool
152	libtorrent-rasterbar
153	libtunepimp
154	libvorbis
155	libwpd
156	libxfont
157	libxml2
158	libxslt
159	lighttpd
160	links2
161	linux-ftpd
162	loop-aes-utils
163	ltsp
164	lurker
165	lvm2
166	lynx-cur
167	maildrop
168	mapserver
169	maradns
170	memcached
171	mimetex
172	mldonkey
173	mlmmj
174	mon
175	mono
176	mpg123
177	mplayer
178	mplayer2
179	forked-daapd
180	mtr
181	multipath-tools
182	mutt
183	mysql-ocaml
184	icinga
185	nas
186	nbd
187	ndiswrapper
188	netpbm-free
189	netrik
190	net-snmp
191	network-manager
192	newt
193	nginx
194	no-ip
195	noweb
196	nsd3
197	nspr
198	nss
199	nss-pam-ldapd
200	ntp
201	openafs
202	openexr
203	open-iscsi
204	openjdk-6
205	openldap
206	libreoffice
207	opensaml2
208	opensc
209	openssl
210	openswan
211	openvpn
212	oprofile
213	osiris
214	pam-pgsql
215	pcre3
216	pcsc-lite
217	pdns
218	pdns-recursor
219	perdition
220	perl
221	petris
222	pimd
223	pinball
224	pound
225	ppp
226	pptpd
227	proftpd-dfsg
228	psi
229	pstotext
230	pygresql
231	python2.6
232	python2.7
233	python3.2
234	python-cjson
235	python-crypto
236	qemu
237	qemu-kvm
238	qt4-x11
239	qt-x11-free
240	rdesktop
241	reprepro
242	rssh
243	rsync
244	ruby-gnome2
245	samba
246	sash
247	scponly
248	screen
249	sdl-image1.2
250	slurm-llnl
251	smstools
252	snmptrapfmt
253	socat
254	spamassassin
255	spamass-milter
256	speex
257	splitvt
258	squidguard
259	strongswan
260	subversion
261	sudo
262	suphp
263	syslog-ng
264	systemtap
265	tcpreen
266	telepathy-gabble
267	texinfo
268	tgt
269	thttpd
270	tinymux
271	tinyproxy
272	tk8.4
273	tk8.5
274	tuxpaint
275	typespeed
276	unbound
277	unicon
278	unzip
279	util-linux
280	vim
281	vlc
282	vnc4
283	webcit
284	webkit
285	wesnoth
286	wget
287	wine
288	wml
289	wv2
290	wxwidgets2.6
291	wxwidgets2.8
292	wzdftpd
293	x11-xserver-utils
294	xapian-omega
295	xfs
296	xine-lib
297	xmcd
298	xmlsec1
299	xml-security-c
300	xmltooling
301	xorg-server
302	xpdf
303	xterm
304	zabbix
305	zgv
306	zodb
307	zoo
308
309
310	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
311	the upload of dpkg/1.16.1:
312	koffice
313	kphone
314	libgd2
315	libspf2
316	wordnet
317	sendmail
318	afuse
319	bomberclone
320	camlimages
321	couchdb
322	crossfire
323	dvipng
324	eggdrop
325	gdm3
326	glib2.0
327	gnutls26
328	gst-plugins-bad0.10
329	gst-plugins-good0.10
330	gtetrinet
331	heimdal
332	icedove
333	icu
334	jabberd14
335	libapache2-mod-fcgid
336	evince
337	libast
338	libgtop2
339	libnss-ldap
340	libpam-ldap
341	libsoup2.4
342	libtasn1-3
343	libtheora
344	libwmf
345	link-grammar
346	lsh-server
347	mediawiki
348	moin
349	pango1.0
350	pmount
351	polipo
352	poppler
353	postgresql-ocaml
354	pulseaudio
355	ruby1.8
356	ruby1.9.1
357	squid3
358	streamripper
359	sword
360	sympa (#644827)
361	t1lib
362	unalz
363	uw-imap
364	vino
365
366
367	Partially fixed:
368	libmusicbrainz-2.1 (2.1_2.1.5-6.1) (znow missing)
369
370
371	Fixed through cdbs (log or pkg should be checked, before moving to
372	Resolved/fixed, since some Makefile or buildsystem foo might reset
373	flags)
374	libvirt (0.9.6-1)
375	gimp (2.6.11-4)
376	ghostscript (9.04~dfsg-1)
377
378
379	Resolved/fixed: (should be double-checked with hardening-check from
380	hardening-includes before moving it here):
381	mailman (1:2.1.14-3)
382	ncompress (4.2.4.4-3)
383	xzgv (5.9-3)
384
385
386	Packages using hardening-wrapper/-includes (these are considered fixed, although
387	switching them over to dpkg-buildflags might be worthwhile later on):
388	tmux
389	netatalk
390	man-db
391	graphicsmagick
392	udev
393	xfce4-terminal
394	openssh
395	evolution
396	dbus
397	tcpdump
398	libgsf
399	tor
400	evolution-data-server
401	cyrus-imapd-2.4
402	aria2
403	mysql-5.1
404	cups
405	wireshark
406	squid
407	exim4
408	php5
409	ipsec-tools
410	postgresql-8.4
411	postgresql-9.0
412	postgresql-9.1
413	gnupg2
414	nagios3
415	tiff
416	bind9
417	postfix
418	chromium-browser
419	pidgin
420	nagios-plugins
421	znc
422	cyrus-sasl2
423	ldns
424	quagga
425
426
427
428
429
430
431
432
433
434
435
436