Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 January

 

The following contributions were made:

  • LTS front desk activities                       
    • Triaged libapache-poi-java
      • CVE-2017-12626 - Marked as no-dsa following jessie.
    • Triaged libpodofo
      • CVE-2018-5295 - Marked as no-dsa following jessie.
      • CVE-2018-5296 - Marked as no-dsa following jessie.
      • CVE-2018-5308 - Marked as no-dsa following jessie.
      • CVE-2018-5309 - Marked as no-dsa following jessie.
      • CVE-2018-5783 - Marked as no-dsa following jessie.
      • CVE-2018-6352 - Marked as no-dsa as this issue was yet another DoS class vulnerability and all other vulnerabilities for libpodofo was declared minor issue.
    • Triaged jquery
      • CVE-2012-6708 - The fix is too invasive to backport, even upstream decided not to fix earlier releases due to this. In addition the problem is very old.
      • CVE-2015-9251 - The fix is not backwards compatible making it too invasive to correct the problem. Also this problem is rather old and has been known for quite some while now.
    • Triaged libmad, added to dla-needed and informed maintainer.
      • CVE-2017-8372 - Hard to decide but leaning towards fixing as the package is used by a lot of other ones. Finally decided to suggest fixing.
      • CVE-2017-8373 - Hard to decide but leaning towards fixing as the package is used by a lot of other ones. Finally decided to suggest fixing.
      • CVE-2017-8374 - Hard to decide but leaning towards fixing as the package is used by a lot of other ones. Finally decided to suggest fixing.
    • Triaged squid and squid3, added it to dla-needed.txt and informed maintainer. 
      • CVE-2018-1000024 - Simple fix and sounds severe enough to fix. Squid not vulnerable and marked accordingly.
      • CVE-2018-1000027 - Simple fix (even though it will not apply cleanly and some thinking is needed) and it sounds severe enough to fix.
    • Answered an email about xen, suggesting to mark the CVE corresponding to XSA-253 as minor issue. The motivation is that it would take years of rebooting before this is actually a real problem.
    • Triaged pound
      • CVE-2016-10711 - Decided for minor issue as the package have just a hundred installations or so and it do not look very important.
    • Triaged zziplib
      • CVE-2018-6381 - Decided for minor issue as it is segfault but the package is just binaries, this is just a potential vulnerability.
    • Triaged cpio
      • CVE-2017-7516 - Classified as minor issue as it is a very simular result as CVE-2015-1197 and that one was classified as minor.
    • Triaged swftools
      • CVE-2017-16797 - Marked as minor issue following jessie.
      • CVE-2017-16793 - Marked as minor issue following jessie.
      • CVE-2017-1000185 - Marked as minor issue following jessie.
      • CVE-2017-1000176 - Marked as minor issue following jessie.
    • Triaged chromium-browser
      • CVE-2018-6406 - Package has reached end-of-live in wheezy and the CVE marked accordingly.
    • Sent a mail to Emilio as he had locked libreoffice for one and a half month. There are two CVEs connected but they look like minor issues. Will follow up tomorrow (next month).
    • Triaged some issues for libav, helping Hugo on this package:
      • CVE-2018-5766 - Marked as ignored following jessie
      • CVE-2017-17127 - Marked as ignored following jessie
      • CVE-2016-9824 - Marked as ignored following jessie
      • CVE-2016-9823 - Marked as ignored following jessie
      • CVE-2016-5115 - Marked as ignored following jessie
    • Sent a mail to Brian as he had locked exiv2 for almost two weeks. It is not a very long time but the thing is that the only remaining open CVE should actually be ignored as it was marked as minor for jessie. Will follow up tomorrow (next month).