[oe] samba-essential upgrade or remove?
Frans Meulenbroeks
fransmeulenbroeks at gmail.com
Mon Mar 15 07:30:09 UTC 2010
2010/3/15 Holger Hans Peter Freyther <holger+oe at freyther.de>:
> On Monday 08 March 2010 13:51:35 Holger Hans Peter Freyther wrote:
>> On Monday 08 March 2010 13:42:07 Dr. Michael Lauer wrote:
>> > While I'm not using it atm., I recall that samba-essential was the only
>> > recipe that worked relatively painless when Matthias Hentges create it
>> > back then.
>>
>> Then please fix it. You will do a great service to our users. The following
>> CVEs are not addressed:
>> CVE-2009-2813, CVE-2009-2948, CVE-2009-2906, CVE-2009-1888,
>> CVE-2008-4314, CVE-2008-1105, CVE-2007-6015, CVS-2007-4572, CVE-2007-5398,
>> CVE-2007-2444, CVE-2007-2446, CVE-2007-2447, CVE-2007-0452, CVE-2007-0453,
>> CVE-2007-0454, CAN-2006-1059..
>
>
> any update? Is anyone volunteering to update samba-essential or shall we
> remove it from the tree? I think we have a responsibility to our users that if
> we install a network daemon that we at least fix the known security issues with
> this one or remove it from our recipe collection... Opinions?
Do we feel we have that responsibility?
I didn't feel that sentiment when it came to removing other legacy
recipes (some of which definitely also will have security issues).
E.g. for openssl we have
openssl_0.9.7e.bb
openssl_0.9.7g.bb
openssl_0.9.7m.bb
openssl_0.9.8g.bb
openssl_0.9.8m.bb
I'm pretty certain the last one will fix some vulnerabilities present
in the first one.
The same probably holds for all network related stuff (nfs, apache,
php, cups, ...)
Btw this is not a volunteering proposal from my side. I haven't
recovered from being burned last time.
Frans
PS: I'm in favour of keeping samba-essential. In an embedded system
lightweight solutions are often desirable.
More information about the Openembedded-devel
mailing list