secure-testing/hardening/subgoal-dsa.txt

Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

acpid (653502)
alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
avahi (all changes present, fixed with next upload)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2
capi4hylafax (653539)
cgiirc (suggested removal in #653510)
chrony
citadel (653514)
clamav (653958)
collectd (suggested removal in #654520)
courier-authlib
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
devscripts
dspam (all changes present, fixed with next upload)
djbdns
dkim-milter
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
exiv2
expat (653526)
file (653481)
flex
freeciv (654809)
freeradius
ganglia
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hybserv
hylafax
iceape
iceweasel (653191)
id3lib3.8.3
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
kde4libs
kdebase
kdegraphics
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
krb5
krb5-appl
ktorrent
kvirc
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo
libcdaudio
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
libpng (654149)
librpcsecgss (654808)
libsmi (654812)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2 (654903)
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop
mapserver
maradns
memcached
mimetex
mldonkey
mlmmj
mon
mono
mpg123
mplayer
mplayer2
forked-daapd (654147)
mtr (654117)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper
netpbm-free
netrik
net-snmp
newt
nginx
no-ip
noweb
nsd3
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan
openvpn
osiris (suggested removal in 655116)
pam-pgsql
pcre3
pcsc-lite
pdns
pdns-recursor
perdition
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext (655105)
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash (654909)
scponly
screen
sdl-image1.2
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng
systemtap
tcpreen
telepathy-gabble
texinfo
tgt
tinymux
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget (654908)
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd
x11-xserver-utils
xapian-omega
xine-lib
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo
vsftpd (655103)


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
dia
openexr
libtorrent-rasterbar


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender
cheesetracker

Packages using cmake, needs additional research:
kaffeine


Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)


Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)


Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga


1	Hardening subgoal for Wheezy:
2	All packages, which had a DSA since 2006.
3
4	Instructions:
5	- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
6	- After NMUing a candidate where all build flags have been successfully enabled,
7	add it to the "Resolved/fixed:" list
8	- After NMUing a candidate with only some of the build flags enabled, add it to
9	the "Partially fixed: list (in order to remember what needs further work in the
10	future)
11	- cdbs packages should be fixed automatically, but needs to be double-checked
12
13
14	Candidates:
15
16	acpid (653502)
17	alsaplayer (654518)
18	amarok (653354)
19	apt (653504)
20	asterisk (653944)
21	avahi (all changes present, fixed with next upload)
22	barnowl (653506)
23	beid (653956)
24	bochs (653511)
25	bzip2
26	capi4hylafax (653539)
27	cgiirc (suggested removal in #653510)
28	chrony
29	citadel (653514)
30	clamav (653958)
31	collectd (suggested removal in #654520)
32	courier-authlib
33	cpio (654522)
34	cscope (653490)
35	ctorrent (653536)
36	devil (653535)
37	devscripts
38	dspam (all changes present, fixed with next upload)
39	djbdns
40	dkim-milter
41	dovecot (653530)
42	drbd8 (currently broken: #654459)
43	e2fsprogs (654457)
44	ejabberd
45	ekg (653531)
46	emacs23 (655118)
47	exiv2
48	expat (653526)
49	file (653481)
50	flex
51	freeciv (654809)
52	freeradius
53	ganglia
54	eglibc
55	gmime2.4
56	pioneers
57	gnumeric
58	gnupg (653480)
59	gzip
60	hashcash
61	heartbeat
62	hostapd
63	hplip
64	httrack
65	hybserv
66	hylafax
67	iceape
68	iceweasel (653191)
69	id3lib3.8.3
70	imagemagick
71	imlib2
72	inotify-tools
73	ircd-hybrid
74	isakmpd
75	iscsitarget
76	kazehakase
77	kde4libs
78	kdebase
79	kdegraphics
80	kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
81	krb5
82	krb5-appl
83	ktorrent
84	kvirc
85	l2tpns
86	lasso
87	lcms (654821)
88	lftp
89	libapache2-mod-authnz-external
90	libapache2-mod-auth-pgsql
91	libapache-mod-auth-kerb
92	libapache-mod-jk
93	libav
94	cairo
95	libcdaudio
96	libcgroup (654819)
97	libdbd-pg-perl
98	libdumb
99	libexif (650998)
100	libextractor
101	libfishsound
102	libhtml-parser-perl
103	libimager-perl
104	libmikmod
105	libmodplug (654817)
106	libnet-dns-perl
107	libpng (654149)
108	librpcsecgss (654808)
109	libsmi (654812)
110	libtk-img
111	libtool
112	libtunepimp (654832)
113	libvorbis
114	libwpd (653947)
115	libxfont (654154)
116	libxml2 (654903)
117	libxslt
118	links2 (654807)
119	linux-ftpd
120	loop-aes-utils
121	ltsp
122	lurker
123	lvm2
124	maildrop
125	mapserver
126	maradns
127	memcached
128	mimetex
129	mldonkey
130	mlmmj
131	mon
132	mono
133	mpg123
134	mplayer
135	mplayer2
136	forked-daapd (654147)
137	mtr (654117)
138	multipath-tools
139	mutt (654148)
140	mysql-ocaml
141	icinga
142	nas
143	nbd (653954)
144	ndiswrapper
145	netpbm-free
146	netrik
147	net-snmp
148	newt
149	nginx
150	no-ip
151	noweb
152	nsd3
153	nspr
154	nss
155	ntp
156	openafs
157	open-iscsi
158	openjdk-6
159	libreoffice
160	opensaml2
161	openssl (653495)
162	openswan
163	openvpn
164	osiris (suggested removal in 655116)
165	pam-pgsql
166	pcre3
167	pcsc-lite
168	pdns
169	pdns-recursor
170	perdition
171	perl
172	ppp
173	pptpd
174	proftpd-dfsg
175	psi
176	pstotext (655105)
177	pygresql
178	python2.7
179	python3.2
180	python3.3
181	python-cjson
182	qemu
183	qemu-kvm
184	qt4-x11
185	qt-x11-free
186	rssh (654155)
187	rsync (652248)
188	ruby-gnome2
189	sash (654909)
190	scponly
191	screen
192	sdl-image1.2
193	slurm-llnl
194	smstools
195	snmptrapfmt
196	socat (654152)
197	spamassassin
198	spamass-milter
199	speex
200	splitvt
201	squidguard
202	strongswan
203	subversion
204	sudo
205	suphp
206	syslog-ng
207	systemtap
208	tcpreen
209	telepathy-gabble
210	texinfo
211	tgt
212	tinymux
213	tinyproxy
214	tk8.4
215	tk8.5
216	unbound
217	unicon
218	unzip
219	vlc
220	vnc4
221	webcit
222	webkit
223	wesnoth
224	wget (654908)
225	wine
226	wml
227	wxwidgets2.6
228	wxwidgets2.8
229	wzdftpd
230	x11-xserver-utils
231	xapian-omega
232	xine-lib
233	xmlsec1
234	xml-security-c
235	xmltooling
236	zabbix
237	zodb
238	zoo
239	vsftpd (655103)
240
241
242	Packages using dh, but which need additional multiarch changes for compat 9:
243	opensc
244	dia
245	openexr
246	libtorrent-rasterbar
247
248
249	Packages using cdbs, which need additional fixes:
250	icedove
251
252	Packages using Scons, needs additional research:
253	blender
254	cheesetracker
255
256	Packages using cmake, needs additional research:
257	kaffeine
258
259
260	Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
261	the upload of dpkg/1.16.1:
262	koffice
263	libspf2
264	wordnet
265	sendmail
266	afuse
267	bomberclone
268	camlimages
269	couchdb
270	crossfire
271	dvipng
272	eggdrop
273	gdm3
274	glib2.0
275	gnutls26
276	gst-plugins-bad0.10
277	gst-plugins-good0.10
278	heimdal
279	icu
280	jabberd14
281	libapache2-mod-fcgid
282	evince
283	libast
284	libgtop2
285	libnss-ldap
286	libpam-ldap
287	libsoup2.4
288	libtasn1-3
289	libtheora
290	link-grammar
291	lsh-server
292	mediawiki
293	moin
294	pango1.0
295	pmount
296	polipo
297	poppler
298	postgresql-ocaml
299	pulseaudio
300	ruby1.8
301	ruby1.9.1
302	squid3
303	streamripper
304	sword
305	t1lib
306	unalz
307	uw-imap
308	vino
309
310
311	Fixed:
312	libvirt (0.9.6-1)
313	gimp (2.6.11-4)
314	ghostscript (9.04~dfsg-1)
315	samba (2:3.5.11~dfsg-2)
316	libgd2 (2.0.36~rc1~dfsg-6)
317	sympa (6.1.7~dfsg-1)
318	mailman (1:2.1.14-3)
319	ncompress (4.2.4.4-3)
320	xzgv (5.9-3)
321	flac (1.2.1-6)
322	xorg-server (2:1.11.1.901-1)
323	openldap (2.4.25-4)
324	vim (2:7.3.346-1)
325	freetype (2.4.7-2)
326	python-crypto (2.4-1)
327	xorg-server (2:1.11.1.901-1)
328	xpdf (3.03-7)
329	fetchmail (6.3.21-3)
330	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
331	network-manager (0.9.1.95-1)
332	libmusicbrainz-2.1 (2.1_2.1.5-6.1)
333	tmux (1.6~svn2630-2)
334	tcpdump (4.2.0~rc1-2)
335	libthai (0.1.16-1)
336	git (1:1.7.7.2-1)
337	man-db (2.6.0.2-3)
338	elinks (0.12~pre5-6)
339	zgv (5.9-4)
340	jasper (1.900.1-11)
341	xfs (1.0.8-7)
342	fbi (2.07-9)
343	reprepro (4.5.0-1)
344	antiword (0.37-8) (653499)
345	wv2 (0.4.2.dfsg.1-5)
346	dpkg (1.16.1)
347	fuse (2.8.6-3)
348	fontforge (0.0.20110222-6) (653534)
349	apache2 (2.2.21-4)
350	cabextract (1.4-2) (653509)
351	htdig (3.2.0b6-12)
352	xterm (276-2) (653488)
353	enscript (1.6.5.90-2) (653528)
354	amule (2.3.1-2) (653503)
355	gv (1:3.7.1-2)
356	bluez-hcidump (2.1-2) (653507)
357	lighttpd (1.4.30-1) (654151)
358	pimd (2.1.8-2) (654081)
359	chmlib (2:0.40a-2) (653955)
360	lynx-cur (6.6.7-4) (654097)
361	rdesktop (1.7.0-2) (653498)
362	libpam-krb5 (4.5-3) (654293)
363	curl (7.23.1-3) (654521)
364	audiofile (0.3.2-1) (651029)
365	libarchive (2.8.5-2)
366	courier (0.66.3-2) (654794)
367	libsndfile (1.0.25-4) (654831)
368	libwmf (0.2.8.4-10)
369	exiftags (1.01-5) (654804)
370	nss-pam-ldapd (0.8.5)
371	isc-dhcp (4.2.2-2)
372
373
374
375
376	Hardening incomplete:
377	gtetrinet (653443)
378	firebird2.5 (654793)
379
380
381	Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
382	apr
383	apr-util
384	pound (654833)
385
386
387
388	Packages using hardening-wrapper/-includes (these are considered fixed, although
389	switching them over to dpkg-buildflags might be worthwhile later on):
390	netatalk
391	graphicsmagick
392	udev
393	xfce4-terminal
394	openssh
395	evolution
396	dbus
397	libgsf
398	tor
399	evolution-data-server
400	cyrus-imapd-2.4
401	aria2
402	mysql-5.1
403	cups
404	wireshark
405	squid
406	exim4
407	php5
408	ipsec-tools
409	postgresql-8.4
410	postgresql-9.0
411	postgresql-9.1
412	gnupg2
413	nagios3
414	tiff
415	bind9
416	postfix
417	chromium-browser
418	pidgin
419	nagios-plugins
420	znc
421	cyrus-sasl2
422	ldns
423	quagga
424
425
426
427
428
429
430
431
432
433
434
435