Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2017 October

The following contributions were made:

  • LTS front desk activities week 41
    • Triaged CVEs for golang. The package is added to dla-needed.txt. Maintainer contacted.¬†
      • CVE-2017-15041 - Looks like the package is in fact vulnerable. The code looks rather different but the basic functionality looks like it is the same and thus vulnerable.
      • CVE-2017-15042 - Thie problem was introduced in golang 1.1 and 1.0 is available in wheezy. Therefore the CVE was marked as not affected for wheezy.
    • Triaged CVEs for graphicsmagick. The package is added to dla-needed.txt following jessie. Maintainer contacted.
      • CVE-2017-13737 Sounds serious. Can not confirm that the source is vulnerable as no correction exists.
      • CVE-2017-15238 Source code not vulnerable. The vulnerable code does not exist.
      • CVE-2017-15277 Looks rather serious. Source code vulnerable after inspection.
    • Concluded that icedove is simply backported and as it is in dsa-needed then it shall also be added to dla-needed.txt. Maintainer contacted. Updated security tracker with the information that Guido has promised to handle this once a version is available for unstable.
    • Triaged CVEs for imagemagick. The package is added to dla-needed.txt following jessie. Maintainer contacted.
      • CVE-2017-15281. DoS. Source code vulnerable after inspection.
      • CVE-2017-15277. Looks rather serious. Source code vulnerable after inspection.
      • CVE-2017-14528. DoS. Can not confirm that source is vulnerable as no fix is known (more than that latest version may have this solved).
    • Triaged libextractor
      • CVE-2017-15266 Marked as no-dsa following jessie.
      • CVE-2017-15267 Marked as no-dsa following jessie.
    • Triaged xen. Did not triage further as xen was already up for discussion on the list and there is no reason to make double work.
      • TEMP-0860565-9E8C4B. Marked as ignore (too intrusive to backport) following jessie.
    • Triaged¬†jasperreports. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-14941. Sounds serious. Can not confirm that source code is vulnerable as that information do not exist.
    • Triaged liblouis. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2014-8184. Sounds serious. Can not confirm that source code is vulnerable as that information do not exist.
    • Triaged mp3splt. No need to contact maintainers.
      • CVE-2017-15185. Vulnerable code does not exist.
    • Triaged sqlite3. Added to dla-neede.txt. Maintainer contacted.
      • CVE-2017-15286. Could not confirm that the vulnerability exists as no suggestion exists. Sounds serious.
    • Triaged tomcat7. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-12617. Sounds serious and the version in wheezy is mentioned as vulnerable.
    • Triaged git. Asked for advice on LTS list. Jens had a good point to it is added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-15298. No convinced that this is something we should bother about.
    • Triaged sdl-image1.2. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-2887. Potentially problematic. Source code confirmed to be vulnerable.
    • Triaged jbossas4. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-12149. Could not find a proposed patch, but the code looks vulnerable, so it is probably vulnerable.
    • Triaged libjpeg6b and libjpeg8. Both added to dla-needed.txt. Maintainers contacted.
      • CVE-2017-15232. Source looks vulnerable, at least if the proposed patch is the final one. Got a comment that the CVE sent in the mail to the maintainer contained wrong CVE. Corrected that and also informed about the base for telling that the package is vulnerable.
    • Triaged rubygems and ruby1.9.1. Added to dla-needed.txt. Maintainer contacted.
      • CVE-2017-0903. According to the security note the package shall not be vulnerable. However after looking at the source code, I'm not convinced.
  • Sent a reminder to Hugo about DLA for ming.