Debian Long Term Support work 2016 November

The following contributions were made:

  • Investigation of regression problem due to the nss (DLA-677-1) update. The conclusion is that this is a general problem for all applications that fork (at least in some situations) but it looks like only chrome were affected. No further update was done on this.
  • Front desk work.
    Did the following conclusions:
    • nss vulnerable. Motivation: Redhat have issued correcton for this.
    • mcabber vulnerable. Motivation: Another package with similar vulnerability have a fix and DLA sent for that one.
    • ntp vulnerable. There were a few CVEs to triage but only the following were marked as no-dsa:
      • CVE-2016-7429
      • CVE-2016-7431 (vulnerable code not affected)
      • CVE-2016-7433
    • maradns vulnerable.
    • qemu vulnerable (but that was not true)
    • xen vulnerable.
    • lxc vulnerable.
    • w3c vulnerable but some of the issues shall be considered as non-dsa.
    • xen vulnerable (again).
    • w3m vulnerable but the following were tagged no-dsa:
      • CVE-2016-9622
      • CVE-2016-9623
      • CVE-2016-9624
      • CVE-2016-9628
      • CVE-2016-9629
      • CVE-2016-9631
    • tiff vulnerable but the following were marked as no-dsa.
      • CVE-2016-9538
    • libsoap-lite-perl vulnerable