Subject: Removing KDE2
To: None <tech-pkg@NetBSD.org>
From: Thomas Klausner <wiz@NetBSD.org>
List: tech-pkg
Date: 12/27/2004 12:41:49
Hi!
KDE2 had it's last release in 2001, and was moved in the Attic on
the kde ftp site in March 2003 (and is thus, AFAICT, not supported
any longer by the KDE team).
Since then, a number of vulnerabilities have been reported:
WARNING: kde-2.2.2nb10 is vulnerable (kde<3.1.1nb1): remote-code-execution (http://www.kde.org/info/security/advisory-20030409-1.txt)
WARNING: kdebase-2.2.2nb7 is vulnerable (kdebase<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdegames-2.2.2nb7 is vulnerable (kdegames<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdegraphics-3.3.2 is vulnerable (kdegraphics<3.3.2nb1): remote-code-execution (http://www.kde.org/info/security/advisory-20041223-1.txt)
WARNING: kdegraphics-2.2.2nb8 is vulnerable (kdegraphics<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdelibs-2.2.2nb13 is vulnerable (kdelibs<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdemultimedia-2.2.2nb7 is vulnerable (kdemultimedia<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdenetwork-2.2.2nb10 is vulnerable (kdenetwork-2.[12]*): remote-root-shell (http://www.kde.org/info/security/advisory-20021111-2.txt)
WARNING: kdepim-2.2.2nb8 is vulnerable (kdepim<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdesdk-2.2.2nb8 is vulnerable (kdesdk<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: kdeutils-2.2.2nb7 is vulnerable (kdeutils<3.0.5.1): remote-code-execution (http://www.kde.org/info/security/advisory-20021220-1.txt)
WARNING: koffice-1.1.1nb7 is vulnerable (koffice<1.3.5): integer-overflow (http://kde.org/areas/koffice/releases/1.3.4-release.ph)
Some of these have been there for a long time (note the dates).
Additionally, the maintainer is set to tech-pkg. For these reasons
I'd like to remove the KDE2 packages from pkgsrc.
Does someone want to start maintaining the KDE2 packages and provide
fixes and maintenance for the packages?
If no maintainer can be found, I'll be removing them in one week.
Cheers,
Thomas