Bug 29733 - tmate should probably be dropped due to inadequate upstream maintenance
Summary: tmate should probably be dropped due to inadequate upstream maintenance
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker normal
Target Milestone: Mageia 9
Assignee: Thierry Vignaud
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 30163
  Show dependency treegraph
 
Reported: 2021-12-06 18:27 CET by David Walser
Modified: 2022-10-25 14:53 CEST (History)
0 users

See Also:
Source RPM: tmate-2.4.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-12-06 18:27:01 CET
This report details some issues in tmate-ssh-server, which I don't believe we have packaged:
https://www.openwall.com/lists/oss-security/2021/12/06/2

Apparently it and tmate itself were born as forks of tmux, and the above report contains this concerning statement:
"Both forks originate from
the year 2016 and no sync seems to have happened since then. The upstream
author states that he doesn't backport fixes any more due to lack of time."

As such, I'm not sure if tmate is vulnerable to CVE-2018-19387 (Bug 24054) or CVE-2020-27347 (Bug 27569) but if it isn't syncing fixes from tmux, it could leave it vulnerable to other issues in the future.  Nothing requires this package so we can drop it.
David Walser 2021-12-06 18:27:12 CET

Target Milestone: --- => Mageia 9
Priority: Normal => release_blocker

Comment 1 Thierry Vignaud 2021-12-29 18:30:30 CET
Humm it's very useful.
It's still maintained in other distros.
I think we can just follow other distros on that front.
Comment 2 David Walser 2021-12-29 18:32:46 CET
Just because it's packaged in distros doesn't mean anything if the software itself isn't being maintained.
David Walser 2022-10-25 14:53:07 CEST

Blocks: (none) => 30163


Note You need to log in before you can comment on or make changes to this bug.