Debian Long Term Support work 2020 February

 

Due to a fire the data is not complete. This is data restored from git logs meaning it is far from complete.
Work done this month:
  • Worked on php5
  • Changed python-bleach CVE from not-affected to ignored. Salvatore pointed out that it was a wrong conclusion but the fix is too invasive in jessie.
  • Marked three vulnerabilities for wireshark as postponed.
  • CVE-2017-6363 marked as ignored for jessie following Debian Secutiry team.
  • Added pure-ftpd to DLA needed. A little hard to judge the severity. The package is clearly vulnerable and the fix is really simple.
  • Marked CVE-2020-6802 as not affected for jessie. The vulnerable functionality does not exist in this version.
  • Added lua-cgi to the dla-needed list with a note that one possibility is to declare it unsupported.
  • Added libspring-java to dla-needed with a note that it is not completely triaged. Will continue later.
  • Adding rake to dla-needed.txt. Simple to fix.
  • CVE-2020-9365 marked as not affected since the vulnerable function does not exist in the jessie version of pure-ftpd. Instead of the vulnerable pure_strcmp the regular strcmp is used in this version.
  • ... and more see the secutiry tracker git