Work done this month:
- Gone through a few of the packages to see what CVEs I have the competence to work on.
- Answered an email about CVE-2021-22876/curl. Claiming that this is not a vulnerability. If it is fixed it should have a configuration option because the behavior could be desirable and the risk of a successful attack with or without the correction should be the same. After more investigation the conclusion that a fix should be no problem but it should still be safe to ignore since the vulnerability is minor. On the other hand curl is a very popular package and also minor issues can be worth fixing.
- Wrote a script that can check whether a list of packages is declared as end-of-life for some CVE.
- Due to front-desk absense, I checked through the triage list to see that there is no major issue to handle. At least LTS is not worse than normal Debian security.
- Investigated opendmarc:
- CVE-2020-12460 Marked as no-dsa since it has been done for buster.
- CVE-2020-12272 Keeping it open.
- Continued to investigate the curl issue and reviewed the patch.