Debian Long Term Support work 2022 November

Work done this month:

  • Decided to wait a little with analysis of issues for the following packages since the popcon score is very low. Will continue later this week, if other higher prioritized ones do not appear.
    • onionshare
    • 389-ds-base
    • wabt (slightly more users so it should have prio)
    • smarty3 (slight more users so it should have prio)
    • ring (slightly more...)
    • shiro
    • ruby-sidekiq
    • ruby-omniauth
    • ruby-commonmarker
    • nheko
    • libitext5-java
    • node-matrix-js-sdk (just 2...)
    • php-dompdf
    • pngcheck
    • powerline-gitstatus
    • puppet-module-puppetlabs-apt (very low)
    • puppet-module-puppetlabs-mysql (very low)
    • php-illuminate-database
  • Re-triaged rabbitmq-server after ELTS front desk pointed out that the package was not affected there. It is not vulnerable to the specific CVE, but vulnerable to a much worse problem. To be discussed further with ELTS front desk. After the discussion did the following. Removed rabbitmq-server from dla-needed. Noted the related CVE as not-affected for buster. Also added a note that buster is in fact affected by a worse problem that the CVE described but that is still minor and therefore no extra CVE should be necessary for that.
  • Triaged tomcat9 and concluded that CVE-2022-42252 is a minor issue because the problem is only present when the administrator has explicitly disabled checking for illegal headers. One can even consider this to be the expected behavior because the issue is that it accept some specific illegal header.
  • Triaged python3.7. Well started. Need to dig some more to understand whether buster is affected or not. It took some time but when reading the available description thoroghly it is clear that buster is not affected. The vulnerable function was introduced in a bug fix in a later version of 3.7. Marking the CVE accordingly.
  • Triaged jupyter-core and the described issue is a arbitrary code execution problem. That is typically bad so it should be fixed.
  • Triaged android-platform-system-core. The package is likely vulnerable. I have not run the PoC code available and there is no known fix to check against the source code. Adding to dla-needed for further investigation.
  • Triaged ruby-rails-html-sanitizer. The package is vulnerable to CVE-2022-32209 and XSS issues has been fixed in the past so adding the package to dla-needed.
  • Triaged alpine and concluded that CVE-2021-46853 is a minor issue not requiring a DLA following the decision for buster.
  • Triaged powerline-gitstatus and concluded that the CVE-2022-42906 solution change requires the user to update local configuration. Considering that it was marked as no-dsa for bullseye we can then ignore the issue for buster.
  • Triaged libde265 and concluded that it is not urgent at least. Will give Debian Security team a little more time to see how they judge.
  • Triaged sudo. Concluded that it is not super-urgent so will leave some time for Debian Security team to judge.
  • Triaged webkit2ktk and conclued that CVE-2022-42823 warrants a correction (arbitrary code execution is not good) so the package was added to dla-needed following the decision to adding it to dsa-needed.
  • Triaged nodjs and added nodejs to dla-needed following the decision to add it to dsa-needed.
  • Triaged php-cas and concluded that the issue is severe but at the same time the correction is a breaking change. Added php-cas to dla-needed with a note that it should be further investigated.
  • Triaged and added sudo to dla-needed. It may not be the most important fix but sudo is a very important function so better to be sure.
  • Triaged and added pixman to dla-needed. It was hard to judge the severity of the issue so decided that it is better to fix than not to and the fix is trivial.