Work done this month:
- Gone through a few of the packages to see what CVEs I have the competence to work on.
- Work on CVE-2021-22876/curl supporting the update.
- Reviewed the patch
- Regression testing on a built package
- Reproduced the issue
- Verified that the fixed package do indeed fix the problem
- Initiated a discussion about go package support.
- Initiated a discussion about firmware-nonfree support, resulting in an email to the package maintainers.
- Check question on whether we should automate the detection of packages being higher revision in stretch than in buster. The conclusion was yes and I wrote such a script. The result was that four packages was found to have this problem.
- Removed golang-gogoprotobuf from dla-needed and marked CVE-2021-3121 with no-dsa.
- Updated information on firmware-nonfree status.
- Removed firmware-nonfree from dla-needed with updated information in the related CVEs. Some are ignored while others are plain no-dsa.
- CVE-2020-12313 CVE-2020-12319 CVE-2020-12321 no-dsa
- CVE-2020-12362,3,4 ignored since linux patch is needed
- Marked CVE-2021-30130 as not-affected, with a note, for stretch and removed *phpseclib from dla-needed file. Also sent an email about this.
- Marked CVE-2020-35546 as no-dsa for stretch following decision for buster. Removed from dla-needed accordingly.
- Investigated squid3 to check whether stretch is affected and it looks so even though source code has moved from one file to another.
-