Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 August

The following contributions were made:

  • LTS front desk activities week 33
    • Strongswan was added to dla-needed.txt as it was in dsa-needed.txt due to CVE-2017-11185 and the source code for wheezy showed clearly that the fault is there too. Maintainer contacted and told that DSA team had probably sent a similar request.
    • Marked CVE-2017-12847 for nagios3 as no-dsa following jessie. Maintainer contacted.
    • Marked CVE-2017-12852 for python-numpy as no-dsa following jessie and stretch. Maintainer contacted.
    • Triaged CVE-2017-7674 for tomcat7. Upstream version information states that the version in wheezy is not affected. The file where the updated code was introduced (in the upstream proposed patch) is not in wheezy but the Vary header is not set anywhere else either. This may mean that the vulnerability is still there but as the Vary header is not mandatory and the filters are optional the conclusion must be that the vulnerable code is not there. Therefore it was marked as not affected for wheezy.
    • Augeas was added to dla-needed.txt as it was in dsa-needed.txt due to CVE-2017-7555 and the source code looks vulnerable as well. Maintainer contacted and told that DSA team had probably sent a similar request.
    • Graphicsmagick was added to dla.needed.txt as it was in dsa-needed.txt due to CVE-2017-12935, CVE-2017-12936 and CVE-2017-12937. Maintainer contacted and told that DSA team had probably sent a similar request.
    • CVE-2017-12938, CVE-2017-12940, CVE-2017-12941 and CVE-2017-12942 for unrar-nonfree was marked as no-dsa as non-free is not supported.
    • Newsbeuter was added to dla-needed.txt as CVE-2017-12904 has already been fixed in jessie and the code shows same vulnerability in wheezy. Maintainer contacted and told that DSA or himself has already dealt with it but not for wheezy.
    • CVE-2017-12871 for simplesamlphp was marked as not affected following jessie. The wheezy code was analyzed and lib/SimpleSAML/Utilities.php do indeed generate the IV randomly.
    • CVE-2017-7548 for postgresql-9.1 was marked as not affected as no trace of the lo_put code can be found in the version in wheezy.
    • Marked CVE-2017-12967 as ignored following jessie and stretch.
    • Started triaging nss but did not have access to view the actual bug reports.
    • Started triaging opencv but could not find any actual proposed patches so I could not tell whether wheezy was affected or not. The CVEs tell that 3.3 and later is vulnerable and we do not have 3.3 in any version in Debian.
    • Started triaging simplesamlphp but again did not find any proof that wheezy is affected, and not the opposite either.
    • At the end of the week I sent a report to the next front desk responsible telling what leftovers I had from my week of assignment.