Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 December

The following contributions were made:

  • Discussions on how triage should be done. Did an update to the LTS development wiki page.
  • Investigated ruby-oath and concluded that the package is vulnerable but that the severity is not high. The reason is that the package depends on ca-certificates and ca-certificates generate one of the files. Hence I declared CVE-2016-11086 as no-dsa and removed the package from dla-needed.txt.
  • Investigated ruby-doorkeeper but could not figure out whether the source is vulnerable or not. May try again.
  • Investigated pluxml and found that CVE-2020-18184 and CVE-2020-18185 are questioned upstream. The documentation tells that this is intended behavior. Pluxml admins are supposed to be able to edit things (like templates and config files) in a way that allow them to execute arbitrary php code. Sent an email to LTS list requesting for advice before marking them no-dsa/ignored/postponed. Got advice and marked the two CVEs as unimportant and removed the package from dla-needed.
  • Looked at wireshark (including source analysis) and marked all issues as postponed. One CVE were hard to tell whether is is in fact applicable at all and another was clearly just partially applicable. Added a note that there is no need of an immediate DLA for this package but did not remove the entry since is it not fully clear how this should be handled. Sent an email askning for advice on this matter.