EPEL Orphaned packages with vulnerabilities

[Anssi Johansson]

6.8.2014 21.32, Eric H. Christensen kirjoitti:
> I just did a query of all the packages in EPEL that are currently orphaned and contain vulnerabilies.  I'm wondering if any of them are still useful or if they can be removed from the repos.  Here's the list:

If you are concerned about orphaned and vulnerable packages, please 
remove openstack-nova as well. Even though it isn't marked as orphaned 
in the pkgdb, the package maintainer is apparently not going to fix the 
vulnerabilities. openstack-nova has been requested to be removed in one 
of the comments for the following bugs, but nothing has happened. I 
consider the package "de facto" orphaned.


https://bugzilla.redhat.com/show_bug.cgi?id=956808
/var/log/nova/ is world readable

https://bugzilla.redhat.com/show_bug.cgi?id=961736
CVE-2013-2030 insecure directory creation for signing

https://bugzilla.redhat.com/show_bug.cgi?id=963728
CVE-2013-2096 fails to verify image virtual size denial of service

https://bugzilla.redhat.com/show_bug.cgi?id=994810
CVE-2013-2256 private flavors resource limit circumvention

https://bugzilla.redhat.com/show_bug.cgi?id=994817
CVE-2013-4185 network source security groups denial of service

https://bugzilla.redhat.com/show_bug.cgi?id=995173
CVE-2013-4179 XML entities DoS

https://bugzilla.redhat.com/show_bug.cgi?id=999277
CVE-2013-4261 console-log DoS

https://bugzilla.redhat.com/show_bug.cgi?id=1040789
CVE-2013-7048 insecure directory permissions in snapshots

https://bugzilla.redhat.com/show_bug.cgi?id=1057311
CVE-2013-7130 Live migration can leak root disk into ephemeral storage

https://bugzilla.redhat.com/show_bug.cgi?id=1119585
CVE-2013-6437 DoS through ephemeral disk backing files

https://bugzilla.redhat.com/show_bug.cgi?id=1119632
CVE-2014-0134 Nova host data leak to vm instance in rescue mode

https://bugzilla.redhat.com/show_bug.cgi?id=1120951
CVE-2014-3517 timing attack issue allows access to other instances' 
configuration information