Debian Long Term Support work 2024 April

  • Sent an email about what issues we should fix and what we should not fix. Essentially suggest that all "low" issues should be postponed.
  • Removed runc from dla-needed after sending an email about this. There is one CVE to potentially be fixed and it is marked as no-dsa with "minor issue" statement. Changed it to postponed instead.
  • Send an email about freeimage package telling that it should probably be removed from dla-needed. Claimed it until I have got feedback.
  • Further description (by email) of what should be warrant a DLA and what should not.
  • Analysed CVE statistics in order to provide useful information on what types we are fixing and not.
  • Further discussion about freeimage.
  • Added postpone tag for some freeimage CVEs with motivation that it is DoS class vulnerability in a user interactive program
  • Removed postpone tag for some freeimage CVEs since the motivation for postponing them was until patch is available and now patches are available in fedora.
  • Removed the freeimage claim.
  • Claimed bind9
  • Sent an email to the list asking for confirmation that we should package a new upstream version instead of trying to patch the package.
  • Updated the security tracker for CVE-2019-12214.
  • The security tracker tagging was wrong. Proposed two new variants by email.
  • Created a ticket for removal of nvidia-cuda-toolkit support.
  • Continued working on bind9 fix. Conclueded that the correction for CVE-2023-4408 are likely introducing an ABI change making it rather intrusive. After creating a fix for CVE-2023-50387 and CVE-2023-50868 the conclusion is that this one is rather tricky to make. The following commits from bind-9.11 branch has been used to re-make a patch: After some code amendments and copy from upstream branch there is now a commit available that builds. It has not been tested.
    • 8b7ecba9885e163c07c2dd3e1ceab79b2ba89e34 Fail the DNSSEC validation on the first failure
    • db083a21726300916fa0b9fd8a433a796fedf636 Add normal and slow task queues (this is the most tricky one and it still does not build without it)
    • 75faeefcab47e4f1e12b358525190b4be90f97de Don't iterate from start every time we select new signing key
    • b38552cca7200a72658e482f8407f57516efc5db Optimize selecting the signing key