Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 April

The following contributions were made:

  • Front desk work.
  • Marked CVE-2020-1927 and CVE-2020-1934 for apache2 as ignored following decision for later releases.
  • Marked CVE-2019-15522 for csync2 as ignored following decision for later releases.
  • Triaged glibc. Concluded that jessie is not affected by CVE-2020-6096. The mentioned code is not present in jessie. Code analysis.
  • Triaged gpac. Marked a few CVEs as ignored following later releases.
  • Triaged firefox-esr. Added to dla-needed.
  • Triaged u-boot again now when Security Team have made their analysis. Marked as minor following decision for later releases.
  • Triaged viewvc. Marked as minor following decision for later releases.
  • Triaged CVE-2020-11441 for phpmyadmin. It was marked as undetermined. The conclusion after code analysis is that Jessie cannot be affected since the pma_error display code does not exist. Instead of displaying the error message from connect layer it simply displays that login is not allowed without returning any data.
  • Triaged CVE-2020-10688 for resteasy. It was marked as undetermined. Could not find evident proof that Jessie is not affected. What is clear is that the NotFoundExceptionMapper is only in the example code. But I could not find evidence that this is proof that the package in Jessie is not affected. This should be a minor issue however.
  • Triaged libxml2 and its two undetermined issues. However I could not find the libxml2 version used in iOS so it is not really possible to conclude what the problem is.
  • Front desk work.
  • Triaged qemu. Looks serious enough and is in DSA needed. Checked the source code and the vulnerable code is present.
  • Added a few end of life entries for xen and libperlspeak-perl.
  • Triaged CVE-2020-10663 for ruby-json and ruby2.1. Source analysis of ruby-json shows that the package is vulnerable and should be fixed. The package ruby-json should be fixed since the code is clearly vulnerable and it looks like a rather serious problem. Ruby version 2.1 is not vulnerable since it does not have this piece of code. Marked this without any jessis specific tag since 2.1 is only in jessie and therefore does not affect any other release.
  • The conclusion regarding ruby2.1 was wrong. It was based on a typo in my search. Now added ruby2.1 to dla needed too. Thank fo Salvatore for reverting my statement.
  • Triaged libgit2 and followed the decision from the Debian Secutiry team concluding no-dsa for CVE-2020-12279 and CVE-2020-12278.
  • Triaged CVE-2020-12243 for openldap and CVE-2020-10704 for samba. Both are essentially the same issue. Added both to dla-needed.txt.
  • Triaged openexr and marked CVE-2020-11758 to CVE-2020-11765 as no-dsa with comment minor issue. Earlier CVEs in the same package with very similar problem was marked this way so there is no point in doing this update.
  • Triaged re2c. Concluded that the Debian Security team decision holds for jessie as well. Marked CVE-2018-21232 as no-dsa.
  • Triaged opensc. The problem in CVE-2019-20792 is a double free. Opensc contain tools for interacting with smart cards. The question is whether we should assume that the tools are only used to interact with known cards. In this case this is not an issue. However if cards from anyone should be assumed then this can potentially be a problem. Still a double free should not give more than a crash. On the other hand this piece of software seems to have got quite a lot of security issues fixed, even heap overflow and the like. Looks like the package maintainer have been working hard to keep security good. Also rather minor issues have DLAs assigned. So even though the severity is not that high, maybe it should be fixed. In any case it is not urgent so I'll wait some time for Debian Security team to make a judgement.
  • Triaged percona-xtrabackup. Not urgent. The question is whether a no-dsa is good enough. Will wait some more day for Debian Security team to make a decision.
  • Participated on the monthly meeting and took an AP to update the README file.