vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

Tracking withdrawn packages

Open armijnhemel opened this issue 2 years ago • 4 comments

There are packages of which versions have been officially "withdrawn" by the authors and flagged as "do not use". Examples are OpenSSL 3.0.6 and Linux kernel 2.4.11.

These packages have of course valid versions, but are not ones that should be suggested as "upgrade to these versions" or similar. Possibly they should never be reported.

armijnhemel avatar Nov 01 '22 11:11 armijnhemel

this is something we need to track somehow, this and forever vulnerable packages (e.g. malware) #855 reported by @keshav-space

pombredanne avatar Nov 01 '22 11:11 pombredanne

I guess in a way this is the same as a forever vulnerable package version. This may not be intentional like malware, but tracking-wise the result is the same.

pombredanne avatar Nov 01 '22 11:11 pombredanne

Another example is GNU wget 1.13.2 which has actually been removed from the GNU download site.

armijnhemel avatar Jul 28 '23 09:07 armijnhemel

Somewhat related are missing releases of RPM. While these have not been withdrawn it seems that they have been misplaced and can no longer be found:

https://rpm.org/timeline.html

(search for 'missing')

armijnhemel avatar Jul 28 '23 09:07 armijnhemel