Debian Bug report logs - #451373
RM: ircii-pana -- RoQA; security issues, abandoned upstream, unmainted

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stephan Hermann <sh@sourcecode.de>

To: submit@bugs.debian.org

Subject: removal of ircii-pana (aka bitchx)

Date: Thu, 15 Nov 2007 14:02:54 +0100

[Message part 1 (text/plain, inline)]

Package: ircii-pana
Version 1:1.1-5

Dear Colleagues,

I discussed this on #debian-security@OFTC and with other people from
the ubuntu community. 

I (or we) think it's time to get rid of this packages, just because it
has a lot of security flaws (which are not already determined) but with
3 CVEs hanging. 

Upstream seems to be (is) dead.

Regarding the alternatives for IRC clients on the console (irssi in
this case) and other alternatives on the X Window interface (xchat,
konversation etc.) it should be no deal to get rid of this package.

This removal request will be filed on Launchpad.net for Ubuntu, too.


Regards,

\sh

[signature.asc (application/pgp-signature, attachment)]

Message #14 received at 451373@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 451373@bugs.debian.org

Subject: Re: Bug#451373: removal of ircii-pana (aka bitchx)

Date: Thu, 15 Nov 2007 14:50:01 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Stephan Hermann <sh@sourcecode.de> [2007-11-15 14:11]:
> Dear Colleagues,
> 
> I discussed this on #debian-security@OFTC and with other people from
> the ubuntu community. 
> 
> I (or we) think it's time to get rid of this packages, just because it
> has a lot of security flaws (which are not already determined) but with
> 3 CVEs hanging. 
> 
> Upstream seems to be (is) dead.
> 
> Regarding the alternatives for IRC clients on the console (irssi in
> this case) and other alternatives on the X Window interface (xchat,
> konversation etc.) it should be no deal to get rid of this package.
> 
> This removal request will be filed on Launchpad.net for Ubuntu, too.

I strongly agree with this.
Bitchx (ircii-pana) is currently vulnerable to 3 security 
issues, namely CVE-2007-3360, CVE-2007-4584 and CVE-2007-5839.
In my opinion CVE-2007-4584 is most important and noone 
found a solution yet. Of course this alone is no reason to 
remove it. The whole source code is a mess, everyone who 
sits down to find a security issue in bitchx will find 
another one.

The ircii-pana maintainer also seems to be MIA, I mailed him 
some time ago without an answer yet. I also mailed the 
upstream quite some time ago, also no answer.

Additionally it has an FTBFS open (patch attached to the bug 
report) but even with the patch for this FTBFS you would run 
into another I didn't file a bug for since noone seems to 
care about ircii-pana.

Sadly still a lot of people use bitchx but considering that 
there are enough good alternatives in the archive I think 
removing it would be appropriate.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #21 received at 451373-close@bugs.debian.org (full text, mbox, reply):

From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>

To: 451373-close@bugs.debian.org

Cc: ircii-pana@packages.debian.org, ircii-pana@packages.qa.debian.org

Subject: Bug#451373: fixed

Date: Fri, 23 Nov 2007 00:44:54 +0000

We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

    bitchx |    1:1.1-4 | hurd-i386
    bitchx |    1:1.1-5 | alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
    bitchx | 1:1.1-5+b1 | m68k
bitchx-dev |    1:1.1-4 | hurd-i386
bitchx-dev |    1:1.1-5 | alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
bitchx-dev | 1:1.1-5+b1 | m68k
bitchx-gtk |    1:1.1-4 | hurd-i386
bitchx-gtk |    1:1.1-5 | alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
bitchx-gtk | 1:1.1-5+b1 | m68k
bitchx-ssl |    1:1.1-4 | hurd-i386
bitchx-ssl |    1:1.1-5 | alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390, sparc
bitchx-ssl | 1:1.1-5+b1 | m68k
ircii-pana |    1:1.1-5 | source

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 451373@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)

Message #26 received at 451373@bugs.debian.org (full text, mbox, reply):

From: Parasite <parasit3@no-log.org>

To: 451373@bugs.debian.org

Subject: Re: Bug#451373: removal of ircii-pana (aka bitchx)

Date: Fri, 23 Nov 2007 12:05:36 +0100

I am still using Bitchx and don't want to use another client, really sad
news ! It has a nice design and the defaut configuration is awesome.
I'll give another chance to irssi but I'm not convinced...

Send a report that this bug log contains spam.