Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 February

The following contributions were made:

  • LTS front desk activities                       
    • Triaged tomcat-native
      • CVE-2017-15698 - After looking how complicated it was to enable the vulnerable functionality I decided for minor issue.
    • Triaged zziplib
      • CVE-2018-6481 - Decided for minor issue as it is bus error and the package is just binaries, this is just a potential vulnerability.
    • Triaged eglibc
      • CVE-2018-6485 - Marked as ignored following jessie (on glibc)
    • Triaged simplesamlphp
      • CVE-2018-6519 - Marked as ignored due to minor issue following jessie.
    • No response from Emilio about libreoffice lock. Unlocking.
    • Triaged libreoffice
      • CVE-2013-4156 - Marked as ignoed as it is unimportant.
      • CVE-2012-5639 - Marked as ignoed as it is unimportant.
    • Triaged mantis
      • CVE-2018-6526 - End of life, ignored
    • Triaged simplesamlphp (again), contacted maintainer, it was not added to dla-needed.txt because it was already added...
      • CVE-2017-18121 - Maybe not the worst problem ever but the fix is simple and it was decided to fix for jessie so we keep the same for wheezy. Code was checked and the wheezy version is vulnerable too.
      • CVE-2017-18122 - Maybe not the worst problem ever but the fix is simple and it was decided to fix for jessie so we keep the same for wheezy. Code was checked and the wheezy version is vulnerable too.
    • Triaged dojo added to dla-needed.txt and informed maintainer
      • CVE-2018-6561 - Looks serious enough
    • Triaged dokuwiki, added to dla-needed.txt and contacted maintainers
      • CVE-2017-18123 - sounds really serious
    • Triaged gifsicle
      • CVE-2017-18120 - Source code confirmed to be vulnerable. Simple fix. But the problem is minor so we ignore it.
    • Triaged python-crypto, was already in dla-needed.txt so that is skipped and maintainer not contacted
      • CVE-2018-6594 - sounds serious enough
    • Triaged python3.2
      • CVE-2018-1000030 - The same issue exist for python2.6 and 2.7 and it was added to dla-needed for them. It is however claimed that 3.x is proplerly implemented but with a note that some version crashes. Due to this the reproducer was downloaded and tested with python3.2 with the conclusion that the problem do not exist in python3.2.
    • Triaged zziplib (again)
      • CVE-2018-6540 - DoS class. Not important enough to fix.
      • CVE-2018-6541 - DoS class. Not important enough to fix.
      • CVE-2018-6542 - DoS class. Not important enough to fix.
  • Answered an email from Brian about dojo. I think Brians analysis was correct.
  • Answered an emal from Brian about exiv2. Telling that he can upload but it is really of low importance.
  • Spectre and meltdown documentation on wiki. Created the page and filled it with the initial status. It was later updated with more information by other people.