Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 November

The following contributions were made:

  • Helped analyze a tiff patch.
  • Documented the pre-commit hook.
  • Triaged exiv2
    • CVE-2018-19107 - Minor issue, ignored
    • CVE-2018-19108 - Minor issue, ignored
  • Triaged kde-runtime
    • CVE-2018-19120 - Minor issue, ignored
  • Triaged spamassassin
    • CVE-2017-15705 - Fixed already, triage script showed this for some unknown reason
    • CVE-2018-11780 - Fixed already, triage script showed this for some unknown reason
    • CVE-2018-11781 - Fixed already, triage script showed this for some unknown reason
  • Triaged keepalived. Package added to dla-needed.txt. Package claimed before mail sent out asking maintainer to do update.      
    • CVE-2018-19115 - Probably worth fixing
  • Triaged nasm
    • CVE-2018-19215 - Minor issue, ignoring
    • CVE-2018-19214 - Minor issue, ignoring
    • CVE-2018-19213 - Minor issue, ignoring
  • Triaged otrs2. Package added to dla-needed.txt and maintainer contacted.      
    • CVE-2018-19141 - Minor issue, ignoring. Must be logged in as admin user to trigger it.
    • CVE-2018-19143 - Severe and the issue seems to exist in earlier revision too
  • Triaged pdns-recursor
    • CVE-2018-10851 - Minor issue, memory leak, ignoring. Out of memory results in restart giving limited impact.
    • CVE-2018-14626 - Vulnerable code not present (verified code myself as it was not evident from the start). Marked pdns as well.
    • CVE-2018-14644 - Minor issue, postponed
  • Triaged poppler. Package added to dla-needed.txt. Maintainer do not want to be contacted.
    • CVE-2018-19058 - Can be worth fixing
  • Triaged ruby-i18n. Package added to dla-needed.txt and claimed before mail sent to maintainer.      
    • CVE-2014-10077 - Can be worth fixing
  • Triaged ruby-rack. Package added to dla-needed.txt and claimed before mail sent to maintainer.       
    • CVE-2018-16471 - Can be worth fixing
  • Discussions regarding tiff reproduction.
  • Discussions regarding pdns triaging and the need to fix it. 
  • Triaged ckeditor
    • TEMP-xxx - Little information availble. Declared minor for stretch so following that decision. Ignored.
  • libwpd
    • CVE-2018-19208 -  Declared minor for stretch so following that decision. Ignored.
  • Triaged suricata
    • CVE-2018-18956 - Same conclusion as for ELTS a few days ago. The version in jessie do not support mime and therefore the vulnerability is not present in the code.
  • Triaged uriparser. Package added to dla-needed.txt and claimed before mail sent to maintainer. 
    • CVE-2018-19198 - Out of bounds write are typically severe, so worth fixing.
    • CVE-2018-19199 - Probably not the worst problem but as CVE-2018-19198 is worth fixing and a patch exist this should be solved as well.
    • CVE-2018-19200 - DoS class not severe enough, but still worth fixing with the rest.
  • Triaged golang-go.det-dev. Noted that the package is removed in next debian release.
    • CVE-2018-17848 - Not severe enough to fix a development library with very little dependencies.
    • CVE-2018-17847 - Not severe enough to fix a development library with very little dependencies.
    • CVE-2018-17846 - Not severe enough to fix a development library with very little dependencies.
  • Triaged harfbuzz
    • CVE-2015-9274 - Yes probably worth fixing. It is an old issue but all other Debian releases has it fixed and it seems to be a very popular package.
  • Triaged libphp-phpmailer
    • CVE-2018-19296 - Can be good to fix and seems simple enough.
  • Triaged nasm for undetermined issues
    • CVE-2018-19216 - Not sure why it was marked as undetermined. It should be unfixed. Fixed that and marked it as ignored as the issue is not severe enough.
  • Triaged amanda for undetermined issues
    • CVE-2016-10729 - The vulnerability cannot be reproduced. Sent an email to the LTS list to ask for how to properly mark this vulnerability.