Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2018 December

The following contributions were made:

Marked a few packages similar in stretch when that did not require any further analysis.

  • Triaged ansible
    • CVE-2018-16876 - Vulnerable code not present. Checked code and there is no code that can produce that kind of log.
  • Triaged haproxy. Added to dla-needed.txt and maintainer contacted.
    • CVE-2018-20102 - Looks severe. Worth fixing.
    • CVE-2018-20103 - Looks severe. Worth fixing.
  • Triaged qtimageformats-opensource-src and qt4-x11¬†
    • CVE-2018-19871 - Code vulnerable, but is it important enough. Someone else marked it as postponed which is probably the best.
  • Triaged python-urllib3
    • CVE-2018-20060 - Ignored, minor issue following stretch.
  • Triaged qtbase-opensource-src. Added to dla-needed.txt and maintainers contacted.
    • CVE-2018-19873 - Mat be worth fixing. Low prio.
    • CVE-2018-19870 - May be worth fixing. Low prio.
    • CVE-2018-15518 - Ignored, minor issue.
  • Triaged faad2. Added to dla-needed.txt and maintainers contacted.
    • CVE-2018-19502 - Heap overflow. That can always be tricky. Should be fixed considering the amount of packages using this library.
    • CVE-2018-19503 - Stack overflow. That can always be tricky. Should be fixed considering the amount of packages using this library.
    • CVE-2018-19504 - Minor issue. Null pointer dereference, but as the package anyway should be fixed I marked it as postponed.
  • Triaged gnutls28. Maintainers contacted.
    • CVE-2018-16868 - One more of this type. Should be fixed as this is a very important package.
  • Triaged libraw
    • CVE-2018-5808 - Ignored. A lot of other similar issues have been ignored so following the same route.
    • CVE-2018-5809 - Ignored. A lot of other similar issues have been ignored so following the same route.
  • Triaged mupdf
    • CVE-2018-19777 - Ignored. Infinite loop is not severe enough.
  • Triaged mxml
    • CVE-2018-20004 - Ignored, minor issue.
    • CVE-2018-20005 - Ignored, minor issue.
  • Triaged nettle. Added to dla-needed.txt and maintainer contacted.
    • CVE-2018-16869 - One more of this type. Should be fixed as this is a very important package.
  • Triaged nss
    • CVE-2018-12404 - Bug report not public but it is likely that the package is vulnerable. Adding to dla-needed.txt with a special note.
  • Triaged phpmyadmin. Added to dla-needed.txt and maintainers contacted.
    • CVE-2018-19968 - Sounds serious enough for a fix!
    • CVE-2018-19970 - Minor issue.
  • Triaged libspring-java
    • CVE-2018-10040 - It had an odd comment that relevant commits could not be found. Analyzed it further and changed it to minor issue instead. Marked as minor also in stretch.
    • CVE-2018-10039 -¬†Marked as minor also in stretch.
  • Updated the LTS README file since I should obviously not helped the Security team with the triaging.
  • Triaged qt4-x11 and qtbase-opensource-src
    • CVE-2018-19870 - no-dsa in stretch. Ignoring also for jessie.
    • CVE-2018-19873 - DoS class vulnerability so this can safely be ignored.
  • Triaged wordpress. Package added to dla-needed.txt and mantainer contacted.
    • CVE-2018-20147 - Serious enough for a fix.
    • CVE-2018-20148 - Serious enough for a fix.
    • CVE-2018-20149 - Less serious but will not mark as postponed as the package should be fixed anyway.
    • CVE-2018-20150 - Less serious but will not mark as postponed as the package should be fixed anyway.
    • CVE-2018-20151 - Serious enough for a fix.
    • CVE-2018-20152 - Serious enough for a fix.
    • CVE-2018-20153 - Serious enough for a fix.
  • Triaged libraw
    • CVE-2018-5817 - Ignored following stretch.
    • CVE-2018-5818 - Ignored following stretch.
    • CVE-2018-5819 - Ignored following stretch.
  • Answered an email about a proposed fix for uw-imap. Essentially the correction looks good.
  • Answered an email about a phpmyadmin vulnerability.
  • Worked on a solution to exclude uploaders and just email the maintainer in contact-maintainer script but it turned out to be a rather complicated thing. Email sent about this.