secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer
amarok (653354)
apt (653504)
asterisk (653944)
audiofile (651029)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bsdgames
bzip2
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
cheesetracker
chmlib (653955)
chrony
citadel (653514)
clamav (653958)
collectd
courier
courier-authlib
cpio
cscope (653490)
ctorrent (653536)
curl
devil (653535)
devscripts
dia
djbdns
dkim-milter
dovecot (653530)
drbd8
dspam
e2fsprogs
ejabberd
ekg (653531)
emacs23
exiftags
exiv2
expat (653526)
file (653481)
firebird2.5
flex
freeciv
freeradius
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libarchive
libav
cairo
libcdaudio
libcgroup
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug
libnet-dns-perl
libpam-heimdal
libpam-krb5
libpng
librpcsecgss
libsmi
libsndfile
libtk-img
libtool
libtorrent-rasterbar
libtunepimp
libvorbis
libwpd (653947)
libxfont
libxml2
libxslt
lighttpd
links2
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
lynx-cur (654097)
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd (654147)
mtr (654117)
multipath-tools
mutt
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
openexr
open-iscsi
openjdk-6
libreoffice
opensaml2
opensc
openssl (653495)
openswan
openvpn
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
pimd (654081)
pound
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.6
python2.7
python3.2
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rdesktop (653498)
rssh
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinymux
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)


Hardening incomplete:
gtetrinet (653443)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	acpid (653502)
17	alsaplayer
18	amarok (653354)
19	apt (653504)
20	asterisk (653944)
21	audiofile (651029)
22	avahi (all changes present, fixed with next upload)
23	barnowl (653506)
24	beid (653956)
25	bochs (653511)
26	bsdgames
27	bzip2
28	capi4hylafax (653539)
29	cgiirc (suggested removal in #653510)
30	cheesetracker
31	chmlib (653955)
32	chrony
33	citadel (653514)
34	clamav (653958)
35	collectd
36	courier
37	courier-authlib
38	cpio
39	cscope (653490)
40	ctorrent (653536)
41	curl
42	devil (653535)
43	devscripts
44	dia
45	djbdns
46	dkim-milter
47	dovecot (653530)
48	drbd8
49	dspam
50	e2fsprogs
51	ejabberd
52	ekg (653531)
53	emacs23
54	exiftags
55	exiv2
56	expat (653526)
57	file (653481)
58	firebird2.5
59	flex
60	freeciv
61	freeradius
62	ganglia
63	eglibc
64	gmime2.4
65	pioneers
66	gnumeric
67	gnupg (653480)
68	gzip
69	hashcash
70	heartbeat
71	hostapd
72	hplip
73	httrack
74	hybserv
75	hylafax
76	iceape
77	iceweasel (653191)
78	id3lib3.8.3
79	imagemagick
80	imlib2
81	inotify-tools
82	ircd-hybrid
83	isakmpd
84	isc-dhcp
85	iscsitarget
86	kaffeine
87	kazehakase
88	kde4libs
89	kdebase
90	kdegraphics
91	kolab-cyrus-imapd
92	krb5
93	krb5-appl
94	ktorrent
95	kvirc
96	l2tpns
97	lasso
98	lcms
99	lftp
100	libapache2-mod-authnz-external
101	libapache2-mod-auth-pgsql
102	libapache-mod-auth-kerb
103	libapache-mod-jk
104	libarchive
105	libav
106	cairo
107	libcdaudio
108	libcgroup
109	libdbd-pg-perl
110	libdumb
111	libexif (650998)
112	libextractor
113	libfishsound
114	libhtml-parser-perl
115	libimager-perl
116	libmikmod
117	libmodplug
118	libnet-dns-perl
119	libpam-heimdal
120	libpam-krb5
121	libpng
122	librpcsecgss
123	libsmi
124	libsndfile
125	libtk-img
126	libtool
127	libtorrent-rasterbar
128	libtunepimp
129	libvorbis
130	libwpd (653947)
131	libxfont
132	libxml2
133	libxslt
134	lighttpd
135	links2
136	linux-ftpd
137	loop-aes-utils
138	ltsp
139	lurker
140	lvm2
141	lynx-cur (654097)
142	maildrop
143	mapserver
144	maradns
145	memcached
146	mimetex
147	mldonkey
148	mlmmj
149	mon
150	mono
151	mpg123
152	mplayer
153	mplayer2
154	forked-daapd (654147)
155	mtr (654117)
156	multipath-tools
157	mutt
158	mysql-ocaml
159	icinga
160	nas
161	nbd (653954)
162	ndiswrapper
163	netpbm-free
164	netrik
165	net-snmp
166	newt
167	nginx
168	no-ip
169	noweb
170	nsd3
171	nspr
172	nss
173	nss-pam-ldapd
174	ntp
175	openafs
176	openexr
177	open-iscsi
178	openjdk-6
179	libreoffice
180	opensaml2
181	opensc
182	openssl (653495)
183	openswan
184	openvpn
185	osiris
186	pam-pgsql
187	pcre3
188	pcsc-lite
189	pdns
190	pdns-recursor
191	perdition
192	perl
193	pimd (654081)
194	pound
195	ppp
196	pptpd
197	proftpd-dfsg
198	psi
199	pstotext
200	pygresql
201	python2.6
202	python2.7
203	python3.2
204	python-cjson
205	qemu
206	qemu-kvm
207	qt4-x11
208	qt-x11-free
209	rdesktop (653498)
210	rssh
211	rsync (652248)
212	ruby-gnome2
213	sash
214	scponly
215	screen
216	sdl-image1.2
217	slurm-llnl
218	smstools
219	snmptrapfmt
220	socat
221	spamassassin
222	spamass-milter
223	speex
224	splitvt
225	squidguard
226	strongswan
227	subversion
228	sudo
229	suphp
230	syslog-ng
231	systemtap
232	tcpreen
233	telepathy-gabble
234	texinfo
235	tgt
236	tinymux
237	tinyproxy
238	tk8.4
239	tk8.5
240	unbound
241	unicon
242	unzip
243	vlc
244	vnc4
245	webcit
246	webkit
247	wesnoth
248	wget
249	wine
250	wml
251	wxwidgets2.6
252	wxwidgets2.8
253	wzdftpd
254	x11-xserver-utils
255	xapian-omega
256	xine-lib
257	xmlsec1
258	xml-security-c
259	xmltooling
260	zabbix
261	zodb
262	zoo
263
264
265	Packages using cdbs, which need additional fixes:
266	icedove
267
268	Packages using Scons, needs additional research:
269	blender
270
271
272	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
273	the upload of dpkg/1.16.1:
274	koffice
275	libspf2
276	wordnet
277	sendmail
278	afuse
279	bomberclone
280	camlimages
281	couchdb
282	crossfire
283	dvipng
284	eggdrop
285	gdm3
286	glib2.0
287	gnutls26
288	gst-plugins-bad0.10
289	gst-plugins-good0.10
290	heimdal
291	icu
292	jabberd14
293	libapache2-mod-fcgid
294	evince
295	libast
296	libgtop2
297	libnss-ldap
298	libpam-ldap
299	libsoup2.4
300	libtasn1-3
301	libtheora
302	libwmf
303	link-grammar
304	lsh-server
305	mediawiki
306	moin
307	pango1.0
308	pmount
309	polipo
310	poppler
311	postgresql-ocaml
312	pulseaudio
313	ruby1.8
314	ruby1.9.1
315	squid3
316	streamripper
317	sword
318	t1lib
319	unalz
320	uw-imap
321	vino
322
323
324	Fixed:
325	libvirt (0.9.6-1)
326	gimp (2.6.11-4)
327	ghostscript (9.04~dfsg-1)
328	samba (2:3.5.11~dfsg-2)
329	libgd2 (2.0.36~rc1~dfsg-6)
330	sympa (6.1.7~dfsg-1)
331	mailman (1:2.1.14-3)
332	ncompress (4.2.4.4-3)
333	xzgv (5.9-3)
334	flac (1.2.1-6)
335	xorg-server (2:1.11.1.901-1)
336	openldap (2.4.25-4)
337	vim (2:7.3.346-1)
338	freetype (2.4.7-2)
339	python-crypto (2.4-1)
340	xorg-server (2:1.11.1.901-1)
341	xpdf (3.03-7)
342	fetchmail (6.3.21-3)
343	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
344	network-manager (0.9.1.95-1)
345	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
346	tmux (1.6~svn2630-2)
347	tcpdump (4.2.0~rc1-2)
348	libthai (0.1.16-1)
349	git (1:1.7.7.2-1)
350	man-db (2.6.0.2-3)
351	elinks (0.12~pre5-6)
352	zgv (5.9-4)
353	jasper (1.900.1-11)
354	xfs (1.0.8-7)
355	fbi (2.07-9)
356	reprepro (4.5.0-1)
357	antiword (0.37-8) (653499)
358	wv2 (0.4.2.dfsg.1-5)
359	dpkg (1.16.1)
360	fuse (2.8.6-3)
361	fontforge (0.0.20110222-6) (653534)
362	apache2 (2.2.21-4)
363	cabextract (1.4-2) (653509)
364	htdig (3.2.0b6-12)
365	xterm (276-2) (653488)
366	enscript (1.6.5.90-2) (653528)
367	amule (2.3.1-2) (653503)
368	gv (1:3.7.1-2)
369	bluez-hcidump (2.1-2) (653507)
370
371
372
373	Hardening incomplete:
374	gtetrinet (653443)
375
376
377	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
378	apr
379	apr-util
380
381
382
383	Packages using hardening-wrapper/-includes (these are considered fixed, although
384	switching them over to dpkg-buildflags might be worthwhile later on):
385	netatalk
386	graphicsmagick
387	udev
388	xfce4-terminal
389	openssh
390	evolution
391	dbus
392	libgsf
393	tor
394	evolution-data-server
395	cyrus-imapd-2.4
396	aria2
397	mysql-5.1
398	cups
399	wireshark
400	squid
401	exim4
402	php5
403	ipsec-tools
404	postgresql-8.4
405	postgresql-9.0
406	postgresql-9.1
407	gnupg2
408	nagios3
409	tiff
410	bind9
411	postfix
412	chromium-browser
413	pidgin
414	nagios-plugins
415	znc
416	cyrus-sasl2
417	ldns
418	quagga
419
420
421
422
423
424
425
426
427
428
429
430