Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 April

The following contributions were made:

  • LTS front desk activities
    • Continued follow up of mosquitto. DLA was sent by Thorsten but the package do not seem to be in the archives and something have went wrong with the security tracker information. I asked Thorsten to check it out. Package upload had broken. Re-uploaded now and accepted. Something is still wrong with the security database.
    • Triaged jruby
      • CVE-2018-1000079 - Code analysis shows that the vulnerable code is not present in wheezy.
      • CVE-2018-1000078 - DLA already allocated
      • CVE-2018-1000077 - DLA already allocated
      • CVE-2018-1000076 - DLA already allocated
      • CVE-2018-1000075 - DLA already allocated
      • CVE-2018-1000074 - Code vulnerable. Important enough to fix? To be decided.
      • CVE-2018-1000073 - Code analysis shows that the vulnerable code is not present in wheezy
    • Triaged rubygems   
      • CVE-2018-1000079 - Code analysis shows that the vulnerable code is not present in wheezy.
      • CVE-2018-1000074 - Code vulnerable. Important enough to fix? To be decided.
      • CVE-2018-1000073 - Code analysis shows that the vulnerable code is not present in wheezy
  • Discussed python-crypto DLA and suggested new DLA text to be sent.
  • Triaged undetermined issues to reduce that list:
    • Triaged mysql-5.5
      • CVE-2017-15365 - The fault seems to be in WSREP handling and WSREP handling is not included in MySQL 5.5 so concluded that wheezy is not affected.
    • Triaged exiv2
      • CVE-2018-9144 - The mentioned vulnerable function do not exist in wheezy.
      • CVE-2018-8976 - The code fixed by the patch do not exist in wheezy.
      • CVE-2018-9145 - DoS class vulnerability. Not important enough to investigate further. Marked as ignored.
      • CVE-2018-9146 - DoS class vulnerability. Not important enough to investigate further. Marked as ignored.
      • CVE-2017-17723 - DoS class vulnerability. Not important enough to investigate further. Marked as ignored.
      • CVE-2017-17725 - DoS class vulnerability. Not important enough to investigate further. Marked as ignored.
  • While looking for packages that I could contribute fixes to I did the following. As you can see it become a major cleanup instead of actually fixing anything...   
    • Leptonlib - Package removed from dla-needed.txt.
      • CVE-2018-7442 - The only unfixed CVE was marked as no-dsa (minor issue) for jessie and stretch. There is no reason to believe that wheezy should be different. Marked as ignored in the security tracker.
    • Libpodofo - Package removed from dla-needed.txt as all issues had been marked as no-dsa/ignored.
    • Mingw-w64 - Package removed from dla-needed.txt.
      • CVE-2018-1000101 - The only unfixed CVE was marked as no-dsa (minor issue) for jessie and stretch. There is no reason to believe that wheezy should be different. Marked as ignored in the security tracker.
    • Web2py - Package removed from dla-needed.txt as all issues had been maked as no-dsa/ignored.
    • Ipython - It was noted that double check of the analysis should be made before it is removed from dla-needed.txt. I have done that now and the reasoning looks reasonable and therefore I removed that entry.
    • Mp4v2 - Package removed from dla-needed.txt.
      • CVE-2018-7339 - The only unfixed CVE was marked as no-dsa (minor issue) for jessie and stretch. There is no reason to believe that wheezy should be different. Marked as ignored in the security tracker.
    • Ruby-rack-protection - Removed from dla-needed.txt.
      • CVE-2018-1000119 - The package is not very popular. The CVE got low prio from RedHat and I agree with that. In total it is not worth fixing. The backporting was easy but I have no good way to test it so let us ignore the problem instead of potentially introducing a regression issue.
    • Imagemagick - Package removed from dla-needed.txt as all issues have been maked as no-dsa/ignored.
      • CVE-2017-18252 - Marked as no-dsa/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-8804 - Marked as no-dsa/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-8960 - Marked as no-dsa/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-9133 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
    • Opencv - Package kept in dla-needed as it still have some non-minor issues. At least they are not triaged.
      • CVE-2018-7712 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-7713 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-7714 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
    • Elinks - Package removed from dla-needed.
      • CVE-2012-6709 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
    • Libraw - Package removed from dla-needed.
      • CVE-2018-5800 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-5801 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
      • CVE-2018-5802 - Marked as ignored/minor issue in jessie and stretch. There is no reason why wheezy should be treated differently. Marked as ignored.
  • Sent a check question whether we should handle libgcrypt11 in the same was as was concluded for python-crypto. It looks like a very similar vulnerability. The answer was that the vulnerability was marked as not important and thus I removed libgcrypt from dla-needed.txt.