secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
chrony (655123)
citadel (653514)
clamav (653958)
collectd (suggested removal in #654520)
courier-authlib
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
devscripts
dspam (all changes present, fixed with next upload)
djbdns
dkim-milter
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
expat (653526)
file (653481)
flex
freeciv (654809)
freeradius
ganglia (655126)
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo (655128)
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
libpng (654149)
librpcsecgss (654808)
libsmi (654812)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2 (654903)
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop (655133)
mapserver
maradns
memcached (655134)
mimetex
mldonkey (655140)
mlmmj
mon (655137)
mono
mplayer
mplayer2
forked-daapd (654147)
mtr (654117)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan (655139)
openvpn (655130)
osiris (suggested removal in 655116)
pam-pgsql
pcre3
pdns
pdns-recursor
perdition
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext (655105)
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash (654909)
scponly
screen
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget (654908)
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd (655141)
x11-xserver-utils
xapian-omega
xine-lib
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo
vsftpd (655103)


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
dia
openexr
libtorrent-rasterbar
exiv2
libcdaudio
pcsc-lite


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender
cheesetracker

Packages using cmake, needs additional research:
kaffeine


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)
sdl-image1.2 (1.2.10-3)


Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)
mpg123


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	acpid (653502)
17	alsaplayer (654518)
18	amarok (653354)
19	apt (653504)
20	asterisk (653944)
21	avahi (all changes present, fixed with next upload)
22	barnowl (653506)
23	beid (653956)
24	bochs (653511)
25	bzip2
26	capi4hylafax (653539)
27	cgiirc (suggested removal in #653510)
28	chrony (655123)
29	citadel (653514)
30	clamav (653958)
31	collectd (suggested removal in #654520)
32	courier-authlib
33	cpio (654522)
34	cscope (653490)
35	ctorrent (653536)
36	devil (653535)
37	devscripts
38	dspam (all changes present, fixed with next upload)
39	djbdns
40	dkim-milter
41	dovecot (653530)
42	drbd8 (currently broken: #654459)
43	e2fsprogs (654457)
44	ejabberd
45	ekg (653531)
46	emacs23 (655118)
47	expat (653526)
48	file (653481)
49	flex
50	freeciv (654809)
51	freeradius
52	ganglia (655126)
53	eglibc
54	gmime2.4
55	pioneers
56	gnumeric
57	gnupg (653480)
58	gzip
59	hashcash
60	heartbeat
61	hostapd
62	hplip
63	httrack
64	hybserv
65	hylafax
66	iceape
67	iceweasel (653191)
68	id3lib3.8.3
69	imagemagick
70	imlib2
71	inotify-tools
72	ircd-hybrid
73	isakmpd
74	iscsitarget
75	kazehakase
76	kde4libs
77	kdebase
78	kdegraphics
79	kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
80	krb5
81	krb5-appl
82	ktorrent
83	kvirc
84	l2tpns
85	lasso
86	lcms (654821)
87	lftp
88	libapache2-mod-authnz-external
89	libapache2-mod-auth-pgsql
90	libapache-mod-auth-kerb
91	libapache-mod-jk
92	libav
93	cairo (655128)
94	libcgroup (654819)
95	libdbd-pg-perl
96	libdumb
97	libexif (650998)
98	libextractor
99	libfishsound
100	libhtml-parser-perl
101	libimager-perl
102	libmikmod
103	libmodplug (654817)
104	libnet-dns-perl
105	libpng (654149)
106	librpcsecgss (654808)
107	libsmi (654812)
108	libtk-img
109	libtool
110	libtunepimp (654832)
111	libvorbis
112	libwpd (653947)
113	libxfont (654154)
114	libxml2 (654903)
115	libxslt
116	links2 (654807)
117	linux-ftpd
118	loop-aes-utils
119	ltsp
120	lurker
121	lvm2
122	maildrop (655133)
123	mapserver
124	maradns
125	memcached (655134)
126	mimetex
127	mldonkey (655140)
128	mlmmj
129	mon (655137)
130	mono
131	mplayer
132	mplayer2
133	forked-daapd (654147)
134	mtr (654117)
135	multipath-tools
136	mutt (654148)
137	mysql-ocaml
138	icinga
139	nas
140	nbd (653954)
141	ndiswrapper
142	netpbm-free
143	netrik
144	net-snmp
145	newt
146	nginx
147	no-ip
148	noweb
149	nsd3
150	nspr
151	nss
152	ntp
153	openafs
154	open-iscsi
155	openjdk-6
156	libreoffice
157	opensaml2
158	openssl (653495)
159	openswan (655139)
160	openvpn (655130)
161	osiris (suggested removal in 655116)
162	pam-pgsql
163	pcre3
164	pdns
165	pdns-recursor
166	perdition
167	perl
168	ppp
169	pptpd
170	proftpd-dfsg
171	psi
172	pstotext (655105)
173	pygresql
174	python2.7
175	python3.2
176	python3.3
177	python-cjson
178	qemu
179	qemu-kvm
180	qt4-x11
181	qt-x11-free
182	rssh (654155)
183	rsync (652248)
184	ruby-gnome2
185	sash (654909)
186	scponly
187	screen
188	slurm-llnl
189	smstools
190	snmptrapfmt
191	socat (654152)
192	spamassassin
193	spamass-milter
194	speex
195	splitvt
196	squidguard
197	strongswan
198	subversion
199	sudo
200	suphp
201	syslog-ng
202	systemtap
203	tcpreen
204	telepathy-gabble
205	texinfo
206	tgt
207	tinyproxy
208	tk8.4
209	tk8.5
210	unbound
211	unicon
212	unzip
213	vlc
214	vnc4
215	webcit
216	webkit
217	wesnoth
218	wget (654908)
219	wine
220	wml
221	wxwidgets2.6
222	wxwidgets2.8
223	wzdftpd (655141)
224	x11-xserver-utils
225	xapian-omega
226	xine-lib
227	xmlsec1
228	xml-security-c
229	xmltooling
230	zabbix
231	zodb
232	zoo
233	vsftpd (655103)
234
235
236	Packages using dh, but which need additional multiarch changes for compat 9:
237	opensc
238	dia
239	openexr
240	libtorrent-rasterbar
241	exiv2
242	libcdaudio
243	pcsc-lite
244
245
246	Packages using cdbs, which need additional fixes:
247	icedove
248
249	Packages using Scons, needs additional research:
250	blender
251	cheesetracker
252
253	Packages using cmake, needs additional research:
254	kaffeine
255
256
257	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
258	the upload of dpkg/1.16.1:
259	koffice
260	libspf2
261	wordnet
262	sendmail
263	afuse
264	bomberclone
265	camlimages
266	couchdb
267	crossfire
268	dvipng
269	eggdrop
270	gdm3
271	glib2.0
272	gnutls26
273	gst-plugins-bad0.10
274	gst-plugins-good0.10
275	heimdal
276	icu
277	jabberd14
278	libapache2-mod-fcgid
279	evince
280	libast
281	libgtop2
282	libnss-ldap
283	libpam-ldap
284	libsoup2.4
285	libtasn1-3
286	libtheora
287	link-grammar
288	lsh-server
289	mediawiki
290	moin
291	pango1.0
292	pmount
293	polipo
294	poppler
295	postgresql-ocaml
296	pulseaudio
297	ruby1.8
298	ruby1.9.1
299	squid3
300	streamripper
301	sword
302	t1lib
303	unalz
304	uw-imap
305	vino
306
307
308	Fixed:
309	libvirt (0.9.6-1)
310	gimp (2.6.11-4)
311	ghostscript (9.04~dfsg-1)
312	samba (2:3.5.11~dfsg-2)
313	libgd2 (2.0.36~rc1~dfsg-6)
314	sympa (6.1.7~dfsg-1)
315	mailman (1:2.1.14-3)
316	ncompress (4.2.4.4-3)
317	xzgv (5.9-3)
318	flac (1.2.1-6)
319	xorg-server (2:1.11.1.901-1)
320	openldap (2.4.25-4)
321	vim (2:7.3.346-1)
322	freetype (2.4.7-2)
323	python-crypto (2.4-1)
324	xorg-server (2:1.11.1.901-1)
325	xpdf (3.03-7)
326	fetchmail (6.3.21-3)
327	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
328	network-manager (0.9.1.95-1)
329	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
330	tmux (1.6~svn2630-2)
331	tcpdump (4.2.0~rc1-2)
332	libthai (0.1.16-1)
333	git (1:1.7.7.2-1)
334	man-db (2.6.0.2-3)
335	elinks (0.12~pre5-6)
336	zgv (5.9-4)
337	jasper (1.900.1-11)
338	xfs (1.0.8-7)
339	fbi (2.07-9)
340	reprepro (4.5.0-1)
341	antiword (0.37-8) (653499)
342	wv2 (0.4.2.dfsg.1-5)
343	dpkg (1.16.1)
344	fuse (2.8.6-3)
345	fontforge (0.0.20110222-6) (653534)
346	apache2 (2.2.21-4)
347	cabextract (1.4-2) (653509)
348	htdig (3.2.0b6-12)
349	xterm (276-2) (653488)
350	enscript (1.6.5.90-2) (653528)
351	amule (2.3.1-2) (653503)
352	gv (1:3.7.1-2)
353	bluez-hcidump (2.1-2) (653507)
354	lighttpd (1.4.30-1) (654151)
355	pimd (2.1.8-2) (654081)
356	chmlib (2:0.40a-2) (653955)
357	lynx-cur (6.6.7-4) (654097)
358	rdesktop (1.7.0-2) (653498)
359	libpam-krb5 (4.5-3) (654293)
360	curl (7.23.1-3) (654521)
361	audiofile (0.3.2-1) (651029)
362	libarchive (2.8.5-2)
363	courier (0.66.3-2) (654794)
364	libsndfile (1.0.25-4) (654831)
365	libwmf (0.2.8.4-10)
366	exiftags (1.01-5) (654804)
367	nss-pam-ldapd (0.8.5)
368	isc-dhcp (4.2.2-2)
369	sdl-image1.2 (1.2.10-3)
370
371
372
373
374
375	Hardening incomplete:
376	gtetrinet (653443)
377	firebird2.5 (654793)
378
379
380	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
381	apr
382	apr-util
383	pound (654833)
384	mpg123
385
386
387
388	Packages using hardening-wrapper/-includes (these are considered fixed, although
389	switching them over to dpkg-buildflags might be worthwhile later on):
390	netatalk
391	graphicsmagick
392	udev
393	xfce4-terminal
394	openssh
395	evolution
396	dbus
397	libgsf
398	tor
399	evolution-data-server
400	cyrus-imapd-2.4
401	aria2
402	mysql-5.1
403	cups
404	wireshark
405	squid
406	exim4
407	php5
408	ipsec-tools
409	postgresql-8.4
410	postgresql-9.0
411	postgresql-9.1
412	gnupg2
413	nagios3
414	tiff
415	bind9
416	postfix
417	chromium-browser
418	pidgin
419	nagios-plugins
420	znc
421	cyrus-sasl2
422	ldns
423	quagga
424
425
426
427
428
429
430
431
432
433
434
435