Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2019 February

The following contributions were made:

  • Investigated why DLA emails do not arrive in my mailbox and started email discussion about this.
  • Triaged cacti
    • CVE-2018-20723 - Minor issue. Can be triggered by an malicious editor, sounds like a really rare case.
    • CVE-2018-20724 - Minor issue. Can be triggered by an malicious editor, sounds like a really rare case.
    • CVE-2018-20725 - Minor issue. Can be triggered by an malicious editor, sounds like a really rare case.
    • CVE-2018-20726 - Minor issue. Can be triggered by an malicious editor, sounds like a really rare case.
  • Triaged dovecot. Added to dla-needed.txt.
    • CVE-2019-3814 - Already fixed in stretch. Following that decision.
  • Triaged ceph. Added to dla-needed.txt.
    • CVE-2018-14662 - Sounds serious and it looks like it is applicable.
    • CVE-2018-16846 - Vulnerable. Relevant to fix together with the other one.
  • Triaged sssd. Added to dla-needed.txt.
    • CVE-201-16838 - Following DSA decision.
  • Triaged guacamole-client
    • CVE-2018-1340 - not affected. The cookie mentioned do not exist in the jessie version.
  • Triaged libarchive. Added to dla-needed.txt.
    • CVE-2019-1000019 - crash can also be worth fixing.
    • CVE-2019-1000020 - infinite loop, can be worth fixing.
  • Triaged liblivemedia. Added to dla-needed.txt. 
    • CVE-2019-6256 - Crash looks serious enough.
    • CVE-2019-7314 - Crash looks serious enough.
  • Triaged phpmyadmin
    • CVE-2019-6798 - SQL injection is serious but if someone have permission to create an user that is a more serious issue. Marking as postponed.
    • CVE-2019-6799 - Serious, should be fixed.
  • Triaged poppler
    • CVE-2019-7310 - DoS not important enough for this package. Ignored.
  • Triaged vips
    • CVE-2019-6976 - Ignored, minor issue.
  • Triaged golang. Added to dla-needed.txt. 
    • CVE-2019-6486 - Sounds serious enough. Should be fixed.
  • Triaged libpodofo
    • CVE-2018-20751 - Minor issue, ignored.
  • Triaged mumble
    • CVE-2018-20743 - Was already fixed in jessie. Must be a data update timing problem.
  • Triaged openjpeg2
    • CVE-2019-6988 - No DSA, following this decision. Ignored minor issue.
  • Triaged curl. Added to dla-needed.txt following Debian Securit team.
    • CVE-2018-16890 - Not a major issue but as it was fixed in stable it should be fixed here too.
    • CVE-2019-3822 - Not a major issue but as it was fixed in stable it should be fixed here too.
    • CVE-2019-3823 - Not a major issue but as it was fixed in stable it should be fixed here too.
  • Triaged gnome-shell
    • CVE-2019-3820 - Version in jessie not affected. It was introduced in a later version.
  • Triaged python3.4. But the package was after some investigations already fixed.
  • Triaged golang but it was already fixed. Quickly found that out.
  • Triaged freerdp
    • CVE-2018-8784 - Not affected since the functionality was introduced even after stretch.
    • CVE-2018-8785 - Not affected since the functionality was introduced even after stretch.
    • CVE-2018-1000852 - Not affected, vulnerable code do not exist.
  • Triaged libreoffice
    • CVE-2018-16858 - DLA allocated but package not uploaded yet.
  • Investigated the effort to backport certbot and sent an email about this.
  • Answered an email about php5 support after EOL.
  • Modified a script from the extended LTS repository to allow triaging even when the json data is not up to date. Based on this I could contiue to triage the ones below.
  • Triaged gdm3
    • CVE-2019-3825 - Ignored, minor issue following the decision for stretch.
  • Triaged gpac. Added to dla-needed.txt and maintainers contacted.
    • CVE-2018-20760 - Vulnerable but the package has rather low prio.
    • CVE-2018-20761 - Vulnerable but the package has rather low prio.
    • CVE-2018-20762 - Vulnerable but the package has rather low prio.
    • CVE-2018-20763 - Vulnerable but the package has rather low prio.
  • Triaged gvfs
    • CVE-2019-3827 - Vulnerable code not present.
  • Triaged libsdl1.2, added to dla-needed.txt maintainers contacted.
    • CVE-2019-7572 - Crash, probably worth fixing.
    • CVE-2019-7573 - Crash, probably worth fixing.
    • CVE-2019-7574 - Crash, probably worth fixing.
    • CVE-2019-7575 - Crash, probably worth fixing.
    • CVE-2019-7576 - Crash, probably worth fixing.
    • CVE-2019-7577 - Crash, probably worth fixing.
    • CVE-2019-7578 - Crash, probably worth fixing.
    • CVE-2019-7635 - Crash, probably worth fixing.
    • CVE-2019-7636 - Crash, probably worth fixing.
    • CVE-2019-7637 - Crash, probably worth fixing.
    • CVE-2019-7638 - Crash, probably worth fixing.
  • Triaged libsdl2, added to dla-needed.txt maintainers contacted.
    • CVE-2019-7572 - see libsdl1.2 above.
    • CVE-2019-7573 - see libsdl1.2 above.
    • CVE-2019-7574 - see libsdl1.2 above.
    • CVE-2019-7575 - see libsdl1.2 above.
    • CVE-2019-7576 - see libsdl1.2 above.
    • CVE-2019-7577 - see libsdl1.2 above.
    • CVE-2019-7578 - see libsdl1.2 above.
    • CVE-2019-7635 - see libsdl1.2 above.
    • CVE-2019-7636 - see libsdl1.2 above.
    • CVE-2019-7637 - see libsdl1.2 above.
    • CVE-2019-7638 - see libsdl1.2 above.
  • Triaged mosquitto
    • CVE-2018-12546 - Minor issue, ignored.
    • CVE-2018-12550 - Minor issue, postponed.
    • CVE-2018-12551 - Minor issue, postponed.
  • Triaged rdflib, added to dla-needed.txt but with a note that coordinaton should be done with maintainers.
    • CVE-2019-7653 - Should probably be fixed.
  • Triaged libemail-address-list-perl
    • CVE-2018-18898 - Minor issue, ignored. Following stretch decision. In fact I fail to see that it strictly is a security vulnerability.