FS#69855 : [profile-sync-daemon] inetutils dependency may not be needed

FS#69855 - [profile-sync-daemon] inetutils dependency may not be needed

Attached to Project: Community Packages
Opened by BH (braderhart) - Tuesday, 02 March 2021, 12:17 GMT
Last edited by David Runge (dvzrv) - Monday, 05 July 2021, 16:27 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	David Runge (dvzrv)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 tinywrkb (tinywrkb) (2021-05-29) BH (braderhart) (2021-03-02)
Private	No

Details

Description:

inetutils is currently impacted by a high risk arbitrary code execution vulnerability. It isn't listed as a dependency for installation:

https://github.com/graysky2/profile-sync-daemon/blob/master/INSTALL

Additional info:
* package version: 6.44-1
* link to inetutils security vulnerability:
* https://security.archlinux.org/AVG-1003

This task depends upon

Closed by David Runge (dvzrv)
Monday, 05 July 2021, 16:27 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 6.44-2

Comment by loqs (loqs) - Tuesday, 02 March 2021, 12:51 GMT

Use of `hostname` from inetutils was replaced by `uname -n` in [1] included in releases 6.43 and newer.

[1] https://github.com/graysky2/profile-sync-daemon/commit/959789e514622d6bf9b9b52fe696d089029ed33e

Comment by David Runge (dvzrv) - Monday, 05 July 2021, 16:26 GMT

@braderhart @loqs: Thanks for the report and the follow up.

Will release a new version of the package with inetutils removed from depends.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#71052 - [profile-sync-daemon] remove inetutils from depends~~

Arch Linux

FS#69855 - [profile-sync-daemon] inetutils dependency may not be needed

Details

Loading...