Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 April

The following contributions were made:

  • Assisted with analysis os potrace vulnerability CVE-2016-8685 and why the optimizer affects it.
  • Review of potrace changes.
  • Marked CVE-2017-7418 for proftpd-dfsg as no-dsa following jessie.
  • Claimed libsndfile but after some work realized that I could not complete the work that week and I'm away the week after. Will continue the work if nobody else have claimed it by then.
  • Front desk activities week 16:
    • Marked CVE-2017-7697 for libsamplerate as no-dsa following jessie.
    • Marked CVE-2017-7946 for radare2 as no-dsa following jessie.
    • Marked CVE-2017-7941, CVE-2017-7942 and CVE-2017-7941 for imagemagick as no-dsa following jessie.
    • Analyzed CVE-2017-7869 CVE-2017-5337 CVE-2017-5336 CVE-2017-5335 for gnutls26. Found the package to be vulnerable to them all. CVE-2017-7869 is a minor issue but probably worth fixing anyway as the fix was simple.
    • Analyzed CVE-2016-5396 for trafficserver. After a lot of code search the conclusion is that the vulnerable source is not present in the wheezy version.
    • Uploaded xen package prepared by Credativ and issued DLA-907-1.
    • Informed the maintainer that squirrelmail is vulnerable to CVE-2017-5181 CVE-2017-7692. The package had been added to dsa-needed so added to dla-needed too.
    • Marked CVE-2015-7559 for activemq as no-dsa following jessie.
    • Found that minicom is vulnerable to CVE-2017-7467. Maintainer contacted and dla-needed.txt updated.
    • Started looking into CVE-2017-3586 and CVE-2017-3589 for mysql-connector-java but found very little details.
    • Marked CVE-2017-6949 for chicked as no-dsa following jessie.
    • Found that "fop" is vulnerable to CVE-2017-5661. Maintainer contacted and dla-needed.txt updated.
    • Found that "batik" is vulnerable to CVE-2017-5662. Maintainer contacted and dla-needed.txt updated.
    • Found that "botan1.10" is vulnerable to CVE-2017-2801. Maintainer contacted and dla-needed.txt updated.
    • Marked CVE-2017-7982 for libplist as no-dsa following jessie.
  • Looked into various CVEs with status undetermined or not triaged for Jessie. However I could not find anything conclusive more than that some of the CVEs got some updates in the security tracker.
  • Marked CVE-2017-7994 for libpodofo as no-dsa following jessie. Also looked into quite a few more but they had a DLA already even though it was marked as minor in jessie. Looked into this a little more and things do not fully make sense so therefore I have written an email to the security team and some more people to ask for clarification.