Debian Long Term Support work 2023 June

  • Added libusrsctp to dla-needed following decision for bullseye.
  • Marked 389-ds-base CVE-2023-1055 as no-dsa for buster following decision for bullseye.
  • Marked tang CVE-2023-1672 as no-dsa for buster following bullseye.
  • Marked several CVEs for frr as no-dsa (minor issue) following the practice for this package. There are plenty of denial of service class vulnerabilities that is not fixed for this particular package.
  • Added grpc to dla-needed.
  • Marked hoteldruid CVE-2023-33817 as no-dsa (minor issue). SQL injection is a fairly severe issue but this is only for authenticated users. In hotel management they should be trusted enough to not break things. What is more there is another CVE-2021-37832 marked as no-dsa from before. So this keeps the same level of security as has been decided earlier.
  • Marked imagemagick CVE-2023-3195 as no-dsa (minor issue) following similar class vulnerabilities that were also marked as no-dsa for the same package.
  • Added maradns to dla-needed with a note about low prio due to few installations.
  • Added minidlna to dla-needed.
  • Added opensc to dla-needed.
  • Added wordpress to dla-needed.
  • Started to triage trafficserver but realized that it is almost not used. Looking into more prioritized packages first.
  • Marked yajl CVE-2023-33460 as postponed. Since it is a library it may be worth fixing later but a memory leak is not severe enough to be fixed immediately.
  • Added python-mechanize to dla-needed.
  • Marked golang-gihub-gib-gonic-gin CVE-2023-29401 as
     no-dsa (minor issue) for buster.
  • Marked jackson-databind CVE-2023-35116 as no-dsa (minor issue) for buster.
  • Marked rust-h2 CVE-2023-26964 as no-dsa (minor issue) for buster.
  • Marked nagvis CVE-2022-46945 as no-dsa following bullseye decision.
  • Marked wireshark CVE-2023-0667 as no-dsa following bullseye decision.
  • Triaged the package renderdoc. Found two fairly severe CVEs (remote code execution) but since the porting work is costly and the package seems to be very rarely used I decided to send an email to the rest of the LTS contributors asking for support on this matter.
  • Added syncthing to dla-needed.
  • Triaged the package dogecoin. Again a very rarely used piece of software. 15 installation... The problem looks severe, but no fix seem to be available. Also it is not entirelly clear if the vulnerability applies to the software we have in Debian or if it applies to some node software. Likely it applies but not super clear. Will continue to analyze it.
  • Marked qtbase-opensource-src CVE-2023-34410 CVE-2023-33285 and CVE-2023-32763 as no-dsa following decision for bullseye or bookworm.
  • Marked qtbase-opensource-src CVE-2023-32762 as postponed for buster. It is a little problematic but is not important enough to be fixed on its own. It works with the most common case and it is only an issue together with http links on the same page.
  • Marked qtsvg-opensource-src CVE-2023-32573 as no-dsa. It is a possible division by zero problem. No privilege escalation or similar and it is on client side. It is more annoying than a security issue.
  • Email discussion about libusrsctp. In that I suggest we ignore the CVE instead of fixing it. This sort of revert my previous decision on adding it to dla-needed but that was made just to follow bullseye.
  • Marked gpac CVE-2023-3291 end-of-life.
  • Marked librabbitmq CVE-2023-35789 no-dsa for buster.
  • Marked nuget CVE-2023-29337 as postponed. It may be worth fixing but it does not warrant its own update. The user has to have a login to make a potential privilege escalation.
  • Marked renderdoc CVE-2023-33865 as postponed for buster.
  • Marked php-react-http CVE-2023-26044 as no-dsa for buster. Minor issue for a package that is used by 4 people according to popcon.
  • Marked golang-golang-x-net-dev CVE-2022-41717 and CVE-2022-27664 as postponed following decision for buster golang-1.11 package.
  • Marked golang-1.11 CVEs as no-dsa for buster following bullseye.
  • Marked golang-1.11 CVE-29403 as no-dsa in buster due to limited support. Also one may consider this as expected behavior.
  • Marked golang-1.11 CVEs as no-dsa for buster due to limited support. Technically these do not follow that limited support pattern but still they should be postponed.
  • Marked node-matrix-js-sdk CVEs as postponed in buster.
  • Added sabnzbdplus to dla-needed.
  • Added ruby-doorkeeper to dla-needed.
  • Marked tomcat9 CVE-2023-23998 as no-dsa for buster. The reasoning is that the same CVE for libcommons-fileupload-java is declared as no-dsa and minor issue. Since that will not be fixed there is no point to try to fix tomcat9 since it depends on libcommons-fileupload-java to be fixed.
  • Added trafficserver to dla-needed with a note about low prio due to few users.
  • Marked a number of no-dsa entries for gpac in buster as end-of-life insead.
  • Went through a few packages that has been fixed in bullseye but is no-dsa in buster but did not find any obvious one to add to dla-needed.
  • Wrote a hand-over email to the next person in LTS frontdesk list.
  • Answered an email from Anton asking for advice for two CVEs.