Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 August

The following contributions were made:

  • Followed up on a discussion about jetty and the CVEs affecting jetty, jetty8 and jetty9.
  • Responded with an email to Credativ with information on how to proceed with Xen.
  • Claimed gnutls and started to analyze it.
    • CVE-2018-10844 - Patches found. One to remove the SHA256 and SHA384 from defaults. This should be ok due to the introduction of AEAD, but it can be problematic from backwards compatibility point of view. Backporting remains and it should be fairly easy. Maybe it even applies cleanly when the file names are solved. Further investigations needed.
    • CVE-2018-10845 - Patch found. Backporting remains. Easy to do but with limited value on its own. Should we really remove SHA384 from defaults?
    • CVE-2018-10846 - GnuTLS do not fix the issue and do not plan to do that either. Instead they promote the encrypt-then-mac approach by introducing a new force flag. This is not possible to introduce in oldstable so the issue is ignored.