Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 September

The following contributions were made:

  • Answered email about firefox-esr.
  • Triaged mupdf. Decided not to follow the decision from the Debian Security team.
    • CVE-2018-16647 - DoS class vulnerability for a client is not severe enough.
    • CVE-2018-16648 - Same decision for this one.
  • Triaged openafs and added it to dla-needed following Debian Security team DSA decision.
  • Triaged soundtouch.
    • CVE-2018-17096 - ignored following stretch
    • CVE-2018-17097 - ignored following stretch
    • CVE-2018-17098 - ignored following stretch
  • Triaged php5. Adding to dla-needed.txt.
    • CVE-2018-17082 - Looks serious enough to fix.
  • Triaged spamassassin. Adding to dla-needed.txt. Mail sent to maintainers. 
    • CVE-2018-11780 - Potential remote execution is probably severe enough.
    • CVE-2018-11781 - Can be severe in special cases.
    • CVE-2018-15705 - Can be problematic.
  • Triaged libapache2-mod-perl2
    • CVE-2011-2767 - Looks severe enough even though it is old and have been public for 7 years (in the Debian BTS).
  • Triaged neutron.
    • CVE-2018-14636 - Do not consider this important enough. Sniffing should be ok in most cases especially since issues like CVE-2016-5363 was considered minor.
    • CVE-2018-14635 - Not more important than some of the ignored issues. Ignoring this as well.
  • Triaged okular.
    • CVE-2018-1000801 - Sounds serious enough for a fix. Concluded the same as the Debian Security team.
  • Triaged libpodofo
    • CVE-2018-14320 - After some thinking decided to consider it as minor issue.
  • Triaged hylafax. Added to dla-needed.txt.
    • CVE-2018-17141 - Serious
  • Triaged audiofile
    • CVE-2018-17095 - After a lot of thinking, decided to postpone it.
  • Triaged sympa. Added to dla-needed.txt. Mail sent to maintainers.  
    • CVE-2018-1000671 - Serious enough for fix.
  • Triaged tcpdf
    • CVE-2018-17057 - Considered minor since arbitrary deserialization is still possible using http and https even with this fix.
  • Triaged zziplib
    • CVE-2018-16548 - A memory leak is not serious enough for a fix.
  • Triaged tiff
    • CVE-2018-17000 - Postponing. Can be updated in a later update.
    • CVE-2018-17100 - Also postponed.
    • CVE-2018-17101 - Also postponed.
  • Triaged tika, but considering the usage of this I decided to be quite strict on the necessity of fixing.
    • CVE-2018-8017 - Not crucual to fix.
    • CVE-2018-11762 - Not crucial to fix.
    • CVE-2018-11761 - Not crucial to fix.
  • Triaged mp4v2
    • CVE-2018-17235 - Ignoring following Debian Security team.
    • CVE-2018-17236 - Ignoring following Debian Security team.
  • Triaged liblouis
    • CVE-2018-17294 - Ignoring following Debian Security team.
  • Triaged salt, added to dla-needed.txt. Mail sent to maintainers.
    • CVE-2017-7893 - Not crucial since some other system must be compromsised first but since one rooted server can cause so many others to be rooted as well this should be fixed.
  • Triaged python2.7 and python3.4. Added to dla-needed.txt.
    • CVE-2018-1000802 - Shell injection can be crucial. Should be fixed.
  • Triaged openvswitch
    • CVE-2018-17204 - Not affected. Vulnerable code does not exist in the jessie version.
    • CVE-2018-17205 - Not affected. Vulnerable code does not exist in the jessie version.
    • CVE-2018-17206 - Not affected. Vulnerable code does not exist in the jessie version.