Bug 29733

Summary: tmate should probably be dropped due to inadequate upstream maintenance
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: release_blocker CC: davidwhodgins, fri, mageia
Version: Cauldron   
Target Milestone: Mageia 9   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: tmate-2.4.0-1.mga8.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 30163    

Description David Walser 2021-12-06 18:27:01 CET 
This report details some issues in tmate-ssh-server, which I don't believe we have packaged:
https://www.openwall.com/lists/oss-security/2021/12/06/2

Apparently it and tmate itself were born as forks of tmux, and the above report contains this concerning statement:
"Both forks originate from
the year 2016 and no sync seems to have happened since then. The upstream
author states that he doesn't backport fixes any more due to lack of time."

As such, I'm not sure if tmate is vulnerable to CVE-2018-19387 (Bug 24054) or CVE-2020-27347 (Bug 27569) but if it isn't syncing fixes from tmux, it could leave it vulnerable to other issues in the future.  Nothing requires this package so we can drop it.
David Walser 2021-12-06 18:27:12 CET

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 1 Thierry Vignaud 2021-12-29 18:30:30 CET 
Humm it's very useful.
It's still maintained in other distros.
I think we can just follow other distros on that front.
Comment 2 David Walser 2021-12-29 18:32:46 CET 
Just because it's packaged in distros doesn't mean anything if the software itself isn't being maintained.
David Walser 2022-10-25 14:53:07 CEST

Blocks: (none) => 30163

Comment 3 Morgan Leijström 2023-06-11 01:33:28 CEST 
Do this need to be a release blocker?

CC: (none) => fri

Comment 4 David Walser 2023-06-11 03:26:26 CEST 
Yes, packages can't be dropped after release.
Comment 5 Dave Hodgins 2023-06-11 20:14:52 CEST 
For packages like this where it is not on the iso image, it's a blocker
for the final, not a blocker for the rc.

CC: (none) => davidwhodgins

Comment 6 Nicolas Lécureuil 2023-06-19 01:10:19 CEST 
Fixed closing

CC: (none) => mageia
Resolution: (none) => FIXED
Status: NEW => RESOLVED