secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
chrony
citadel (653514)
clamav (653958)
collectd (suggested removal in #654520)
courier-authlib
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
devscripts
dspam (all changes present, fixed with next upload)
djbdns
dkim-milter
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23
exiftags (654804) 
exiv2
expat (653526)
file (653481)
flex
freeciv (654809)
freeradius
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
isc-dhcp
iscsitarget
kaffeine
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo
libcdaudio
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
libpng (654149)
librpcsecgss (654808)
libsmi (654812)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd (654147)
mtr (654117)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
nss-pam-ldapd
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan
openvpn
osiris
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinymux
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
dia
openexr
libtorrent-rasterbar


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender
cheesetracker


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
libwmf
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)


Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	acpid (653502)
17	alsaplayer (654518)
18	amarok (653354)
19	apt (653504)
20	asterisk (653944)
21	avahi (all changes present, fixed with next upload)
22	barnowl (653506)
23	beid (653956)
24	bochs (653511)
25	bzip2
26	capi4hylafax (653539)
27	cgiirc (suggested removal in #653510)
28	chrony
29	citadel (653514)
30	clamav (653958)
31	collectd (suggested removal in #654520)
32	courier-authlib
33	cpio (654522)
34	cscope (653490)
35	ctorrent (653536)
36	devil (653535)
37	devscripts
38	dspam (all changes present, fixed with next upload)
39	djbdns
40	dkim-milter
41	dovecot (653530)
42	drbd8 (currently broken: #654459)
43	e2fsprogs (654457)
44	ejabberd
45	ekg (653531)
46	emacs23
47	exiftags (654804)
48	exiv2
49	expat (653526)
50	file (653481)
51	flex
52	freeciv (654809)
53	freeradius
54	ganglia
55	eglibc
56	gmime2.4
57	pioneers
58	gnumeric
59	gnupg (653480)
60	gzip
61	hashcash
62	heartbeat
63	hostapd
64	hplip
65	httrack
66	hybserv
67	hylafax
68	iceape
69	iceweasel (653191)
70	id3lib3.8.3
71	imagemagick
72	imlib2
73	inotify-tools
74	ircd-hybrid
75	isakmpd
76	isc-dhcp
77	iscsitarget
78	kaffeine
79	kazehakase
80	kde4libs
81	kdebase
82	kdegraphics
83	kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
84	krb5
85	krb5-appl
86	ktorrent
87	kvirc
88	l2tpns
89	lasso
90	lcms (654821)
91	lftp
92	libapache2-mod-authnz-external
93	libapache2-mod-auth-pgsql
94	libapache-mod-auth-kerb
95	libapache-mod-jk
96	libav
97	cairo
98	libcdaudio
99	libcgroup (654819)
100	libdbd-pg-perl
101	libdumb
102	libexif (650998)
103	libextractor
104	libfishsound
105	libhtml-parser-perl
106	libimager-perl
107	libmikmod
108	libmodplug (654817)
109	libnet-dns-perl
110	libpng (654149)
111	librpcsecgss (654808)
112	libsmi (654812)
113	libtk-img
114	libtool
115	libtunepimp (654832)
116	libvorbis
117	libwpd (653947)
118	libxfont (654154)
119	libxml2
120	libxslt
121	links2 (654807)
122	linux-ftpd
123	loop-aes-utils
124	ltsp
125	lurker
126	lvm2
127	maildrop
128	mapserver
129	maradns
130	memcached
131	mimetex
132	mldonkey
133	mlmmj
134	mon
135	mono
136	mpg123
137	mplayer
138	mplayer2
139	forked-daapd (654147)
140	mtr (654117)
141	multipath-tools
142	mutt (654148)
143	mysql-ocaml
144	icinga
145	nas
146	nbd (653954)
147	ndiswrapper
148	netpbm-free
149	netrik
150	net-snmp
151	newt
152	nginx
153	no-ip
154	noweb
155	nsd3
156	nspr
157	nss
158	nss-pam-ldapd
159	ntp
160	openafs
161	open-iscsi
162	openjdk-6
163	libreoffice
164	opensaml2
165	openssl (653495)
166	openswan
167	openvpn
168	osiris
169	pam-pgsql
170	pcre3
171	pcsc-lite
172	pdns
173	pdns-recursor
174	perdition
175	perl
176	ppp
177	pptpd
178	proftpd-dfsg
179	psi
180	pstotext
181	pygresql
182	python2.7
183	python3.2
184	python3.3
185	python-cjson
186	qemu
187	qemu-kvm
188	qt4-x11
189	qt-x11-free
190	rssh (654155)
191	rsync (652248)
192	ruby-gnome2
193	sash
194	scponly
195	screen
196	sdl-image1.2
197	slurm-llnl
198	smstools
199	snmptrapfmt
200	socat (654152)
201	spamassassin
202	spamass-milter
203	speex
204	splitvt
205	squidguard
206	strongswan
207	subversion
208	sudo
209	suphp
210	syslog-ng
211	systemtap
212	tcpreen
213	telepathy-gabble
214	texinfo
215	tgt
216	tinymux
217	tinyproxy
218	tk8.4
219	tk8.5
220	unbound
221	unicon
222	unzip
223	vlc
224	vnc4
225	webcit
226	webkit
227	wesnoth
228	wget
229	wine
230	wml
231	wxwidgets2.6
232	wxwidgets2.8
233	wzdftpd
234	x11-xserver-utils
235	xapian-omega
236	xine-lib
237	xmlsec1
238	xml-security-c
239	xmltooling
240	zabbix
241	zodb
242	zoo
243
244
245	Packages using dh, but which need additional multiarch changes for compat 9:
246	opensc
247	dia
248	openexr
249	libtorrent-rasterbar
250
251
252	Packages using cdbs, which need additional fixes:
253	icedove
254
255	Packages using Scons, needs additional research:
256	blender
257	cheesetracker
258
259
260	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
261	the upload of dpkg/1.16.1:
262	koffice
263	libspf2
264	wordnet
265	sendmail
266	afuse
267	bomberclone
268	camlimages
269	couchdb
270	crossfire
271	dvipng
272	eggdrop
273	gdm3
274	glib2.0
275	gnutls26
276	gst-plugins-bad0.10
277	gst-plugins-good0.10
278	heimdal
279	icu
280	jabberd14
281	libapache2-mod-fcgid
282	evince
283	libast
284	libgtop2
285	libnss-ldap
286	libpam-ldap
287	libsoup2.4
288	libtasn1-3
289	libtheora
290	libwmf
291	link-grammar
292	lsh-server
293	mediawiki
294	moin
295	pango1.0
296	pmount
297	polipo
298	poppler
299	postgresql-ocaml
300	pulseaudio
301	ruby1.8
302	ruby1.9.1
303	squid3
304	streamripper
305	sword
306	t1lib
307	unalz
308	uw-imap
309	vino
310
311
312	Fixed:
313	libvirt (0.9.6-1)
314	gimp (2.6.11-4)
315	ghostscript (9.04~dfsg-1)
316	samba (2:3.5.11~dfsg-2)
317	libgd2 (2.0.36~rc1~dfsg-6)
318	sympa (6.1.7~dfsg-1)
319	mailman (1:2.1.14-3)
320	ncompress (4.2.4.4-3)
321	xzgv (5.9-3)
322	flac (1.2.1-6)
323	xorg-server (2:1.11.1.901-1)
324	openldap (2.4.25-4)
325	vim (2:7.3.346-1)
326	freetype (2.4.7-2)
327	python-crypto (2.4-1)
328	xorg-server (2:1.11.1.901-1)
329	xpdf (3.03-7)
330	fetchmail (6.3.21-3)
331	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
332	network-manager (0.9.1.95-1)
333	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
334	tmux (1.6~svn2630-2)
335	tcpdump (4.2.0~rc1-2)
336	libthai (0.1.16-1)
337	git (1:1.7.7.2-1)
338	man-db (2.6.0.2-3)
339	elinks (0.12~pre5-6)
340	zgv (5.9-4)
341	jasper (1.900.1-11)
342	xfs (1.0.8-7)
343	fbi (2.07-9)
344	reprepro (4.5.0-1)
345	antiword (0.37-8) (653499)
346	wv2 (0.4.2.dfsg.1-5)
347	dpkg (1.16.1)
348	fuse (2.8.6-3)
349	fontforge (0.0.20110222-6) (653534)
350	apache2 (2.2.21-4)
351	cabextract (1.4-2) (653509)
352	htdig (3.2.0b6-12)
353	xterm (276-2) (653488)
354	enscript (1.6.5.90-2) (653528)
355	amule (2.3.1-2) (653503)
356	gv (1:3.7.1-2)
357	bluez-hcidump (2.1-2) (653507)
358	lighttpd (1.4.30-1) (654151)
359	pimd (2.1.8-2) (654081)
360	chmlib (2:0.40a-2) (653955)
361	lynx-cur (6.6.7-4) (654097)
362	rdesktop (1.7.0-2) (653498)
363	libpam-krb5 (4.5-3) (654293)
364	curl (7.23.1-3) (654521)
365	audiofile (0.3.2-1) (651029)
366	libarchive (2.8.5-2)
367	courier (0.66.3-2) (654794)
368	libsndfile (1.0.25-4) (654831)
369
370
371
372
373	Hardening incomplete:
374	gtetrinet (653443)
375	firebird2.5 (654793)
376
377
378	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
379	apr
380	apr-util
381	pound (654833)
382
383
384
385	Packages using hardening-wrapper/-includes (these are considered fixed, although
386	switching them over to dpkg-buildflags might be worthwhile later on):
387	netatalk
388	graphicsmagick
389	udev
390	xfce4-terminal
391	openssh
392	evolution
393	dbus
394	libgsf
395	tor
396	evolution-data-server
397	cyrus-imapd-2.4
398	aria2
399	mysql-5.1
400	cups
401	wireshark
402	squid
403	exim4
404	php5
405	ipsec-tools
406	postgresql-8.4
407	postgresql-9.0
408	postgresql-9.1
409	gnupg2
410	nagios3
411	tiff
412	bind9
413	postfix
414	chromium-browser
415	pidgin
416	nagios-plugins
417	znc
418	cyrus-sasl2
419	ldns
420	quagga
421
422
423
424
425
426
427
428
429
430
431
432