Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 January

The following contributions were made:

  • Started to look into apache2 update but found it to be a too large patch for me to handle in a few hours. Will look into this again unless someone else beat me to it.
  • Started to look into CVE-2016-9318 for libxml2 update but could not find whether it was blessed upstream or not. However I suggested to mark it as no-dsa as this is introduction of a new option that is off by default. Marked as no-dsa and package removed from dla-needed.txt.
  • Started to look into CVE-2016-9601 for jbig2dec but found that no solution is available.
  • Started to look into ghostscript but found no CVE for it. Mail sent to Chris to check what the intention was and it was for a CVE that was later re-assigned to jbin2dec. Ghostscript was removed from dla-needed.txt.
  • Marked CVE-2016-8649 for lxc (and linux) as no-dsa following jessie.
  • Marked CVE-2017-XXXX (TEMP-0850432-8BD66F #850432) as no-dsa following jessie. Package removed from dla-needed.txt.
  • Started working on icoutils:
    • CVE-2017-5208 however this fix is not enough so we need this too CVE-2017-5331.
    • CVE-2017-5332 however it was an incorrect fix. The correction of that problem also solve CVE-2017-5333.
  • Marked CVE-2016-10062 as no-dsa (minor issue) following jessie. This means that the package was removed from dla-needed.txt too.
  • Uploaded icoutils and issued DLA-789-1.
  • Tested apache2 packages from here: https://people.debian.org/~anarcat/debian/wheezy-lts/. No I could not. The system I'm running is running i386 and the packages were built for amd64.
  • Marked CVE-2016-9954 for the package chicken as no-dsa just as for Jessie.
  • Started looking into php-gettext. Plan to mark CVE-2016-6175 as no-dsa for wheezy. Checking with Salvatore why it was marked as grave in the bug report. No specific reason so marked as no-dsa following jessie. Did the same to CVE-2015-8980.
  • Front desk work week 4:
    • Found that cgiemail package need a DLA.
    • Found that glassfish package need a DLA.
    • Found that kgb-bot need a DLA.
    • Found that mcollective need a DLA.
    • Found that qemu need a DLA.
    • Found that qemu-kvm need a DLA.
    • Marked CVE-2017-5495 for quagga as no-dsa following jessie.
    • Found that libgd2 need a DLA.
    • openjdk-7 need a DLA (maybe it was solved by the upload today, but it is not clear from the DLA, checking with Emilio)
    • Asked for more information to judge whether tcpdump need an update or not in wheezy.
    • Marked TEMP-0846837-70DD1D for tiff as not reproducible.
    • Marked CVE-2016-3104 for mongodb no-dsa for wheezy following jessie.
    • Found that calibre package need a DLA.
    • Found that mysql-5.5 need a DLA.
    • Found that svgsalamander need a DLA.
    • Found that TEMP-0846837-70DD1D for tiff was already corrected.
    • Found that wireshark need a DLA.
    • Found that ruby-archive-tar-minitar need a DLA.
  • Sent a DLA 809-1 for tcpdump.