secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

abcmidi
acpid
alsaplayer
amarok (653354)
amule
antiword
apache2
apr
apr-util
apt
asterisk
audiofile
avahi
barnowl
beid
blender
bluez-hcidump
bochs
bsdgames
bzip2
cabextract
capi4hylafax
cgiirc
cheesetracker
chmlib
chrony
citadel
clamav
collectd
courier
courier-authlib
cpio
crawl
cscope
ctorrent
curl
cyrus-imapd-2.2
devil
devscripts
dia
djbdns
dkim-milter
dovecot
dpkg
drbd8
dspam
e2fsprogs
ejabberd
ekg
emacs23
enscript
exiftags
exiv2
expat
fbi
fetchmail
file (653481)
firebird2.5
flex
fontforge
freeciv
freeradius
fuse
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gv
gzip
hashcash
heartbeat
hostapd
hplip
htdig
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpam-krb5
libpng
librpcsecgss
libsmi
libsndfile
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd
libxfont
libxml2
libxslt
lighttpd
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
lynx-cur
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd
mtr
multipath-tools
mutt
mysql-ocaml
icinga
nas
nbd
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
libreoffice
opensaml2
opensc
openssl
openswan
openvpn
oprofile
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
petris
pimd
pinball
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.6
python2.7
python3.2
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rdesktop
reprepro
rssh
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
thttpd
tinymux
tinyproxy
tk8.4
tk8.5
tuxpaint
typespeed
unbound
unicon
unzip
util-linux
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wv2
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmcd
xmlsec1
xml-security-c
xmltooling
xterm
zabbix
zodb
zoo


Packages using cdbs, which need additional fixes:
icedove


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
kphone
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)


Hardening incomplete:
gtetrinet (653443)


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	abcmidi
17	acpid
18	alsaplayer
19	amarok (653354)
20	amule
21	antiword
22	apache2
23	apr
24	apr-util
25	apt
26	asterisk
27	audiofile
28	avahi
29	barnowl
30	beid
31	blender
32	bluez-hcidump
33	bochs
34	bsdgames
35	bzip2
36	cabextract
37	capi4hylafax
38	cgiirc
39	cheesetracker
40	chmlib
41	chrony
42	citadel
43	clamav
44	collectd
45	courier
46	courier-authlib
47	cpio
48	crawl
49	cscope
50	ctorrent
51	curl
52	cyrus-imapd-2.2
53	devil
54	devscripts
55	dia
56	djbdns
57	dkim-milter
58	dovecot
59	dpkg
60	drbd8
61	dspam
62	e2fsprogs
63	ejabberd
64	ekg
65	emacs23
66	enscript
67	exiftags
68	exiv2
69	expat
70	fbi
71	fetchmail
72	file (653481)
73	firebird2.5
74	flex
75	fontforge
76	freeciv
77	freeradius
78	fuse
79	ganglia
80	eglibc
81	gmime2.4
82	pioneers
83	gnumeric
84	gnupg (653480)
85	gv
86	gzip
87	hashcash
88	heartbeat
89	hostapd
90	hplip
91	htdig
92	httrack
93	hybserv
94	hylafax
95	iceape
96	iceweasel (653191)
97	id3lib3.8.3
98	imagemagick
99	imlib2
100	inotify-tools
101	ircd-hybrid
102	isakmpd
103	isc-dhcp
104	iscsitarget
105	kaffeine
106	kazehakase
107	kde4libs
108	kdebase
109	kdegraphics
110	kolab-cyrus-imapd
111	krb5
112	krb5-appl
113	ktorrent
114	kvirc
115	l2tpns
116	lasso
117	lcms
118	lftp
119	libapache2-mod-authnz-external
120	libapache2-mod-auth-pgsql
121	libapache-mod-auth-kerb
122	libapache-mod-jk
123	libarchive
124	libav
125	cairo
126	libcdaudio
127	libcgroup
128	libdbd-pg-perl
129	libdumb
130	libexif
131	libextractor
132	libfishsound
133	libhtml-parser-perl
134	libimager-perl
135	libmikmod
136	libmodplug
137	libnet-dns-perl
138	libpam-heimdal
139	libpam-krb5
140	libpng
141	librpcsecgss
142	libsmi
143	libsndfile
144	libtk-img
145	libtool
146	libtorrent-rasterbar
147	libtunepimp
148	libvorbis
149	libwpd
150	libxfont
151	libxml2
152	libxslt
153	lighttpd
154	links2
155	linux-ftpd
156	loop-aes-utils
157	ltsp
158	lurker
159	lvm2
160	lynx-cur
161	maildrop
162	mapserver
163	maradns
164	memcached
165	mimetex
166	mldonkey
167	mlmmj
168	mon
169	mono
170	mpg123
171	mplayer
172	mplayer2
173	forked-daapd
174	mtr
175	multipath-tools
176	mutt
177	mysql-ocaml
178	icinga
179	nas
180	nbd
181	ndiswrapper
182	netpbm-free
183	netrik
184	net-snmp
185	newt
186	nginx
187	no-ip
188	noweb
189	nsd3
190	nspr
191	nss
192	nss-pam-ldapd
193	ntp
194	openafs
195	openexr
196	open-iscsi
197	openjdk-6
198	libreoffice
199	opensaml2
200	opensc
201	openssl
202	openswan
203	openvpn
204	oprofile
205	osiris
206	pam-pgsql
207	pcre3
208	pcsc-lite
209	pdns
210	pdns-recursor
211	perdition
212	perl
213	petris
214	pimd
215	pinball
216	pound
217	ppp
218	pptpd
219	proftpd-dfsg
220	psi
221	pstotext
222	pygresql
223	python2.6
224	python2.7
225	python3.2
226	python-cjson
227	qemu
228	qemu-kvm
229	qt4-x11
230	qt-x11-free
231	rdesktop
232	reprepro
233	rssh
234	rsync (652248)
235	ruby-gnome2
236	sash
237	scponly
238	screen
239	sdl-image1.2
240	slurm-llnl
241	smstools
242	snmptrapfmt
243	socat
244	spamassassin
245	spamass-milter
246	speex
247	splitvt
248	squidguard
249	strongswan
250	subversion
251	sudo
252	suphp
253	syslog-ng
254	systemtap
255	tcpreen
256	telepathy-gabble
257	texinfo
258	tgt
259	thttpd
260	tinymux
261	tinyproxy
262	tk8.4
263	tk8.5
264	tuxpaint
265	typespeed
266	unbound
267	unicon
268	unzip
269	util-linux
270	vlc
271	vnc4
272	webcit
273	webkit
274	wesnoth
275	wget
276	wine
277	wml
278	wv2
279	wxwidgets2.6
280	wxwidgets2.8
281	wzdftpd
282	x11-xserver-utils
283	xapian-omega
284	xine-lib
285	xmcd
286	xmlsec1
287	xml-security-c
288	xmltooling
289	xterm
290	zabbix
291	zodb
292	zoo
293
294
295	Packages using cdbs, which need additional fixes:
296	icedove
297
298
299	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
300	the upload of dpkg/1.16.1:
301	koffice
302	kphone
303	libspf2
304	wordnet
305	sendmail
306	afuse
307	bomberclone
308	camlimages
309	couchdb
310	crossfire
311	dvipng
312	eggdrop
313	gdm3
314	glib2.0
315	gnutls26
316	gst-plugins-bad0.10
317	gst-plugins-good0.10
318	heimdal
319	icu
320	jabberd14
321	libapache2-mod-fcgid
322	evince
323	libast
324	libgtop2
325	libnss-ldap
326	libpam-ldap
327	libsoup2.4
328	libtasn1-3
329	libtheora
330	libwmf
331	link-grammar
332	lsh-server
333	mediawiki
334	moin
335	pango1.0
336	pmount
337	polipo
338	poppler
339	postgresql-ocaml
340	pulseaudio
341	ruby1.8
342	ruby1.9.1
343	squid3
344	streamripper
345	sword
346	t1lib
347	unalz
348	uw-imap
349	vino
350
351
352	Fixed:
353	libvirt (0.9.6-1)
354	gimp (2.6.11-4)
355	ghostscript (9.04~dfsg-1)
356	samba (2:3.5.11~dfsg-2)
357	libgd2 (2.0.36~rc1~dfsg-6)
358	sympa (6.1.7~dfsg-1)
359	mailman (1:2.1.14-3)
360	ncompress (4.2.4.4-3)
361	xzgv (5.9-3)
362	flac (1.2.1-6)
363	xorg-server (2:1.11.1.901-1)
364	openldap (2.4.25-4)
365	vim (2:7.3.346-1)
366	freetype (2.4.7-2)
367	python-crypto (2.4-1)
368	xorg-server (2:1.11.1.901-1)
369	xpdf (3.03-7)
370	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
371	network-manager (0.9.1.95-1)
372	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
373	tmux (1.6~svn2630-2)
374	tcpdump (4.2.0~rc1-2)
375	libthai (0.1.16-1)
376	git (1:1.7.7.2-1)
377	man-db (2.6.0.2-3)
378	elinks (0.12~pre5-6)
379	zgv (5.9-4)
380	jasper (1.900.1-11)
381	xfs (1.0.8-7)
382
383
384
385	Hardening incomplete:
386	gtetrinet (653443)
387
388
389
390	Packages using hardening-wrapper/-includes (these are considered fixed, although
391	switching them over to dpkg-buildflags might be worthwhile later on):
392	netatalk
393	graphicsmagick
394	udev
395	xfce4-terminal
396	openssh
397	evolution
398	dbus
399	libgsf
400	tor
401	evolution-data-server
402	cyrus-imapd-2.4
403	aria2
404	mysql-5.1
405	cups
406	wireshark
407	squid
408	exim4
409	php5
410	ipsec-tools
411	postgresql-8.4
412	postgresql-9.0
413	postgresql-9.1
414	gnupg2
415	nagios3
416	tiff
417	bind9
418	postfix
419	chromium-browser
420	pidgin
421	nagios-plugins
422	znc
423	cyrus-sasl2
424	ldns
425	quagga
426
427
428
429
430
431
432
433
434
435
436
437