Work done this month:
- Wrote a script to bulk add EOL entries for buster.
- Using this script I wrongly marked the following as EOL. That was reverted. Due to this I initiated a discussion on what we should do as front desk right now. The answer was essentially nothing as front desk, but we can do things as regular contributors.
- Marked 8 CVEs as EOL for ckeditor3 in buster [bin/lts-auto-eol ckeditor3 CVE-2014-5191 CVE-2018-17960 CVE-2021-26271 CVE-2021-33829 CVE-2021-37695 CVE-2021-41165 CVE-2022-24728 CVE-2022-24729]
- Marked about 70 CVEs as EOL for gpac in buster [bin/lts-auto-eol gpac $(bin/lts-cve-triage.py | grep gpac -A 68 | grep CVE | sed -e 's/.*- CVE/CVE/;s/ .*//;')]
- Marked 3 CVEs as EOL for libspring-java in buster [bin/lts-auto-eol libspring-java $(bin/lts-cve-triage.py | grep libspring-java -A 5 | grep CVE | sed -e 's/.*- CVE/CVE/;s/ .*//;')]
- Marked 2 CVEs as EOL for node-tar in buster.
- Marked 2 CVEs as EOL for node-url-parse in buster.
- Marked 12 CVEs as EOL for nodejs in buster.
- Added curl to dla-needed since it is in DSA needed and at least one vulnerability applies to buster as well.
- Concluded that asterisk CVE-2022-24793 is not vulnerable in buster since the vulnerable code does not exist. The file is not even present.
- Updated the lts-cve-triage.py script to make sure it checks for unsupported packages for buster instead of stretch. Pushed this change so future front desk will be less confused.
- Added a note for CVE-2021-32686 for asterisk. It took some time to realize the package was vulnerable since pjproject is included as a packed file instad of unpacked source code.
- Looking through issues "postponed" for buster. In fact marked as "no-dsa (minor issue)". Was not sure what to do so I compiled an email asking for advice.