Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 March

The following contributions were made:

  • LTS front desk activities                       
    • Triaged thunderbird. Packaage added to dla-needed.txt following Debian Security decision for DSA needed.  
      • CVE-2018-5125 - Probably a bit hard to exploit but as the new version fix this as well it is worth fixing this too.
      • CVE-2018-5127 - Potentially exploitable crash. As this is a high profile application it is worth fixing.
      • CVE-2018-5129 - Sandbox escape is worth fixing.
      • CVE-2018-5144 - Probably a bit hard to exploit but as the new version fix this as well it is worth fixing this too.
      • CVE-2018-5145 - Probably a bit hard to exploit but as the new version fix this as well it is worth fixing this too.
      • CVE-2018-5146 - Probably a bit hard to exploit but as the new version fix this as well it is worth fixing this too.
    • Triaged nasm
      • CVE-2018-8881 - Decided to mark as ignored, thus following Debian Security team decision.
      • CVE-2018-8882 - Decided to mark as ignored, thus following Debian Security team decision.
      • CVE-2810-8883 - Decided to mark as ignored, thus following Debian Security team decision.
    • Triaged ntp
      • CVE-2018-7184 - DoS class vulnerability, association reset. Decided to mark as ignored, thus following Debian Security team decision. It is not worth investigating whether the problem is in fact there.
      • CVE-2018-7185 - Similar to CVE-2018-7184. But more likely affected.
      • CVE-2018-7182 - Sounds serious. The question is whether the version in wheezy is affected or not. According to the text, it is not but that should be double-checked. After quite a lot of investigation the conclusion is that the version in wheezy is not affected.
    • Triaged network-manager
      • CVE-2018-1000135 - Have a hard time to decide on this one. Have to think a little more about it. Debian Security team decided for no-dsa so decided for the same.
    • Triaged libspring-java
      • CVE-2018-1199 - The package is most likely vulnerable but it is not worth fixing. Too intrusive.
    • Triaged lrzip
      • CVE-2018-9058 - DoS (infinite loop). Minor issue according to Debian Secutiry team so mark as ignored.
    • Triaged openssl. Added to dla-needed.txt.
      • CVE-2018-0739 - DoS class vulnerability, but as PKCS is part of SMIME it is probably worth fixing. Also other DoS class vulnerabilities has been fixed in the past so let us continue that practice for this high profile security package.
    • Triaged guacamole
      • CVE-2017-3158 - Package version not vulnerable according to the description.
    • Triaged drupal7. Added to dla-needed.txt. It was already there but with wrong name.
    • Triaged trafficserver
      • CVE-2017-7671 - After code inspection it is clear that the vulnerable function do not exist in the wheezy version.
      • CVE-2017-5660 - After code inspection, can not find the vulnerable code in the wheezy version.
    • Triaged unixodbc
      • CVE-2018-7409 - After code inspection it is clear that the function is different. The vulnerability is there but it is very unlikely that dest_len will be zero so it is considered as a minor issue.
    • Uploaded libvncserver on request from Abhijith. Package re-built, signed and uploaded. Asked whether a DLA should be sent as well or if he will do that.
    • Triaged mosquitto but after a while I found out that the package had already been dealt with. Will follow up tomorrow.