Debian Long Term Support work 2024 March

  • Investigated nodejs but found that it was already in the list of packages to fix.
  • Concluded that CVE-2020-36774 (glade) is a minor issue. It appears only for a development tool when opening a specific file. It is a vulnerability but it is not worth fixing in buster.
  • Marked CVE-2023-6917 as no-dsa for buster following bookworm and bullseye.
  • Marked two CVEs for wireshark as no-dsa for buster following bookworm and bullseye.
  • Concluded that CVE-2024-25768 is a minor issue because of the following. The issue occurs if a null list buffer is provided but a non-zero length of that buffer is provided. In opendmarc itself this will never happen because the list buffer is always provided with null value and zero length. When opendmarc is used as a library it is reasonable to assume that providing a null list and non-zero value for such a list is a programming error. There are no reverse dependencies for libopendmarc-dev in buster. If someone builds an application that have such an error it is likely going to have other more severe problems. It is still a vulnerability but the vulnerability is more in the application calling this function than something else.
  • Added libapache2-mod-auth-openidc to dla-needed after code review. Not a heavily used package but the exploit remotely exploitable and the effort needed to exploit this DoS class vulnerability is minimal.
  • Added fontforge to dla-needed. Even though this is not a remotely exploitable thing arbitrary command execution is tricky and should be fixed.
  • Triaged freeipa and concluded that it is minor since it is only a client side problem. Will wait for regular security team for their analysis before making the final call on this. At least a few more days.
  • Marked CVE-2019-9515 as minor issue for buster following bookworm decision.
  • Added postgresql-11 to dla-needed.
  • Marked golang-1.11 CVEs as postponed with limited support.
  • Analyzed CVE-2024-27507 and concluded that it is a minor issue. Memory leak in a command line tool.
  • Added shim to dla-needed. The motivation is accessibility. A bootloader crash is a bad thing from availability perspective. So strictly speaking it may not be a critical security problem but still it is worth fixing. Especially since it is an easy fix.
  • Added iwd to dla-needed.
  • Added pdns-recursor to dla-needed.
  • Added wordpress to dla-needed.
  • Added thunderbird to dla-needed.
  • Analyzed CVE-2023-5685 (jboss-xnio) and concluded that it is a minor issue for buster.
  • Analyzed CVE-2024-25269. The conclusion is that it is a minor issue based on that other similar or worse problems have been considered as minor issue for this package.
  • Marked three CVEs for suricata as minor issue for buster following bookworm.
  • Marked CVE-2024-23837 as minor issue for buster. Suricata is the only tool in reverse depends for buster and suricata has many similar vulnerabilities.
  • Analyzed libpgjava and it is vulnerable. The question is whether it is minor because the default config is not vulnerable. Waiting for regular security team to make a decision. At least a few more days.
  • Analyzed CVE-2024-27351 and concluded that it is a minor issue for buster. The motivation is that it is just s speed issue and if someone load a file that look like that it is not the most dangerous thing. Sure the tool will hang but there is no other problem than that.
  • Added ruby-rack to dla-needed.
  • Analyzed CVE-2024-2002 and concluded that it is a minor issue. A potential crash in a command line debug tool.
  • Added expat to dla-needed.
  • Marked CVE-2024-2236 as no-dsa following bullseye.
  • Marked CVEs for nvidia-graphics-drivers-legacy-340xx as ignored for buster.
  • Analyzed freeipa further and after a lot of investigations found that we cannot rule out that the vulnerability can be triggered remotely. Even though the server software is not provided. An example use-case is when freeipa is used to authenticate users in some other server software like apache or similar. Therefore freeipa was added to dla-needed and the CVE got a note for others to understand.
  • Analyzed libpgjava further. It is possible to argue that this is not strictly a vulnerability but how SQL works, but the protection is good. Waiting for security team to check it further.
  • Tried to determine kfreebsd-10 and could not. Sent an email checking whether we should even try.
  • Marked CVE-2014-7250 (kfreebsd-10) as end-of-life for buster.
  • CVE-2015-1554 concluded to be a minor for buster issue since it is not reproducible.
  • Decided that CVE-2023-39804 (tar) should be fixed in buster as well. Easy fix and tar is a really common tool.
  • Finally decided that it is better to fix than to not fix libpgjava. Added libpgjava to dla-needed. Better to be safe than sorrow.
  • Ignore CVE-2023-0842 instead of no-dsa in buster even if fixed in bullseye. Extremely few users so it is not worth fixing in such an old release.
  • Ignore CVE-2021-42343 instead of no-dsa in buster even if fixed in bullseye. Not reproducible and likely not even affected. So let us ignore it.
  • Ignore CVE-2016-1243 and CVE-2016-1244 instead of no-dsa in buster even if fixed in bullseye. A crash in this tool is not important.
  • Ignore CVE-2023-46586 instead of no-dsa in buster even if fixed in bullseye. If the buffer is not terminated it will anyway lead to problems so this is not really fixing anything.
  • Ignore CVE-2023-52322 instead of no-dsa in buster even if fixed in bullseye. Extremely few users so it is not worth fixing in such an old release.
  • Marked CVE-2023-46426 and CVE-2023-46427 end-of-life for buster.
  • Removed cpio from dla-needed since there is no CVE to fix.
  • Removed cairosvg from dla-needed since CVE-2023-27586 is too intrusive to fix in buster. Instead marked CVE-2023-27586 as ignored instead of no-dsa.
  • Removed cinder from dla-needed. Marked CVE-2023-2088 as no-dsa for buster.
  • Marked CVE-2023-28840, CVE-2023-28841 and CVE-2023-28842 as no-dsa following bullseye. Removed docker.io from dla-needed. Sent an email about this to check for objections.
  • Marked most CVEs for edk2 as no-dsa for buster following bullseye, but not all, keeping it in dla-needed.
  • Removed exiftags from dla-needed and marked one CVE as no-dsa for buster following bullseye.
  • Removed freeimage from dla-needed and marked its CVEs as postponed for buster following bullseye.
  • Removed golang-go.crypto from dla-needed and marked one CVE as no-dsa for buster following bullseye.
  • Removed knot-resolver from dla-needed and marked CVEs as either no-dsa or ignored following bullseye.
  • Removed golang-go.crypto from dla-needed and marked one CVE as no-dsa for buster following bullseye.
  • Removed nvidia-cuda-toolkit from dla-needed since there were no CVEs indicating that a fix is needed.
  • Removed python-glance-store when marking CVE-2024-1141 as no-dsa following buster.
  • Removed python-os-brick from dla-needed. The CVE that could potentially warrant a fix was not fixed in jessie and stretch either.
  • Removed python-os-brick from dla-needed. The CVE that could potentially warrant a fix was not fixed in jessie and stretch either.
  • Removed qemu from dla-needed. In discussion about this on email.
  • Reverted the decision to remove qemu from dla-needed.
  • Removed runc from dla-needed. But not sure about this so sent out an email question about it.
  • Removed sendmail from dla-needed. But not sure about this so sent out an email question about it.
  • Looked into tinymce status of dla-needed and got quite confused about the triaging status for this package. Sent out an email about this to the list.
  • Sent out an email about tomcat9 status in dla-needed to the front desk that added it.
  • After discussions the conclusion is that the the following CVEs should not be ignored: CVE-2023-52322, CVE-2023-46586, CVE-2023-0843, CVE-2021-42344, CVE-2016-1244 and CVE-2016-1243. So reverted those back to no-dsa.
  • Re-added nvidia-cuda-toolkit to dla-needed. One CVE is fixed in bullseye.
  • Re-added cinder to dla-needed. CVE-2020-10755 is fixed in bullseye.
  • Re-added docker.io to dla-needed. Three CVEs are fixed in bullseye.
  • Reverted decision to remove python-os-brick from dla-needed since CVE-2020-10755 is fixed in bullseye.
  • Reverted decision to remove knot-resolver from dla-needed since four CVEs has been fixed in bullseye.
  • Claimed tinymce and after a lot of code analysis concluded that the four CVEs that are on tinymce, none of them exist in buster because it is on code that is not present in the buster version. Removed package from dla-needed.