Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2016 December

The following contributions were made:

  • Front desk work week 51
    • Found that samba is vulnerable from CVE-2016-2125.
    • Found that jasper is vulnerabe but should not need to be updated yet. Let us re-visit this again this or next week.
    • Found that postgresql-common is vulnerable from CVE-2016-1255.
    • Found that exim4 is vulnerable but that there is no information currently on what to fix.
    • Found that libcrypto++ is vulnerable from CVE-2016-9939.
    • Found that libgd2 is vulnerable from CVE-2016-9933. Could to some extent be treated as a programmer error but it looks severe enough to be fixed anyway and the fix looks easy. Php is vulnerable as well but will automatically be fixed as soon as libgd2 is updated.
    • Found that icinga is vulnerable from CVE-2016-9566. However after more careful reading I realized that this was a mistake and sent an update email regarding this.
    • Found that openssh is vulnerable from CVE-2016-10009, CVE-2016-10011 and CVE-2016-10012 but as they were stated as no-dsa (minor issue) in jessie, wheezy is marked as no dsa as well.
    • Found that apache2 is vulnerable from CVE-2016-8743. It took some time but I have concluded that it should be fixed (upstream noted it as important). The solution is not backwards compatible and thus upstream have created a new option. This makes it less good for a stable security update. Stable team have not triaged this. I added a note in dla-needed.txt to give instructions on the special consideration in the DLA text.
    • Sent an email to asking for more information about exim4 bug 1996. The email can be seen below. The vulnerability is confirmed to affect wheezy. Maintainers contacted in a less formal way as the maintainer was contaced by
    • Found that curl is vulnerable from CVE-2016-9586 but I have not yet determined whether it should be fixed or not. One one hand it can see as only exploitable if the software using curl do not contain enough input sanitizing, on the other hand the patch is small and it is good to fix most vulnerabilities. No known exploit is known. Sending an email to call for advice. The advice was to state that an update is needed, but I also state that it is of lower priority.
    • Reminded Brian that phpmyadmin was accepted but no DLA can be seen in official post. It turned out that we could not find the reason for this. So he sent me the information and I sent out that email for him.
    • Found that ikiwiki is vulnerable from CVE-2016-10026.
    • Found that libcrypto++ is vulnerable from CVE-2016-9939.
    • Found that spip is vulnerable from CVE-2016-9997 and CVE-2016-9998.
    • Found that libspring-java is vulnerable from CVE-2016-9878 however it is not a major problem and it was marked as no-dsa for jessie. The same was now done for wheezy as well.
    • Found that imagemagick is vulnerable from CVE-2016-8677 and CVE-2016-9559. They are not major problems but as they were fixed in jessie I guess someone have concluded that they are important enough to be fixed.
    • Found that tarantool is vulnerable from CVE-2016-9036 and CVE-2016-9037. The first one is an obvious DoS vulnerability while the second is less obvious but probably worth fixing anyway. Later the maintainer informed that it is in fact not vulnerable and therefore I changed that.
  • Front desk work week 52
    • Found that libphp-phpmailer is vulnerable from CVE-2016-10033. According to the advisory this is a critical bug. However there are limited details so I have not been able to confirm the critical nature.
    • Found that python-crypto is vulnerable from CVE-2013-7459. According to the discussion thread it is an exploitable vulnerability.
    • Started to investigate CVE-2016-9318, CVE-2016-9597, CVE-2016-9598 and CVE-2016-9596 for libxml2. CVE-2016-9596 was marked as no-dsa just as jessie was. The other ones need more investigation.
    • Discussed apache2 update further and documented findings in security tracker.
    • Got the information that imagemagick had already been fixed. Informed Emilio who worked on this and updated security tracker. After some more time I realized that a new CVE-2016-10062 has made my previous statement slightly invalid as it affects imagemagick.
    • Checked hplip update request and gave instructions on how to go further.
    • Found that libphp-swiftmailer is vulnerable from CVE-2016-10074.
    • Found that rabbitmq-server is (likely) vulnerable from CVE-2016-9877.
    • Marked CVE-2016-10087 for libpng as no-dsa, following jessie.
    • Marked CVE-2016-10081 for shutter as no-dsa, following jessie.
    • Found that libxml2 is vulnerable from CVE-2016-9318, CVE-2016-9597 and CVE-2016-9598. It was already in dla-needed.txt.
    • Sent DLA-775-1 for hplip.
    • Marked CVE-2016-10091 for unrtf as no-dsa, following jessie.