Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 February

The following contributions were made:

  • Front desk work.
  • Triaged newlib. Marked the following CVEs as ignored following decision for stretch: CVE-2019-14871 ... CVE-2019-14878.
  • Looked through the undetermined issues and concluded that most of them are indeed impossible to determine. One CVE-2017-2581 has been tried a few times but it is not reproducible. I would say that it is concluded that the package is not vulnerable but I cannot tell for sure.
  • Changed my decision regarding CVE-2020-8592 and added python2.7 and 3.4 to dla-needed.txt.
  • Regular work.
  • Looked at the ruby-rack timing attack CVE to check whether it is worth fixing or not. Did not understand why they decided to implement it in a way so a regression is introduced. There should be other ways to do that. Analyzed it and proposed a high level solution description with the hope it helps the patching.
  • Noted that intel-microcode is postponed for buster and strech. The same can be done for LTS and noted that in dla-needed.txt.
  • Looked into phppgadmin and sent an email about my thoughts to LTS list. The effort to fix this would be quite large I think.
  • More front desk work.
  • Triaged golang-go.crypto and marked CVE-2020-9283 as ignored for jessie following decision from regular Debian Secutiry team.
  • Triaged plymouth and marked CVE-2018-20839 as ignored for jessie following decision from regular Debian Secutiry team.
  • Triaged zsh but did not mark CVE-2019-20044 as ignored for jessie following decision from regular Debian Secutiry team since a DLA had already been issued.
  • Triaged sympa and marked CVE-2020-9369 as not affected following decision from regular Debian Secutiry team since the vulnerability was introduced in a later release.
  • Triaged pure-ftpd and marked CVE-2020-9365 as not affected since the vulnerable function does not exist in the jessie version of pure-ftpd. Instead of the vulnerable pure_strcmp the regular strcmp is used in this version.
  • Triaged lua-cgi and found three vulnerabilities that should be fixed. The session id vulnerabilities are quite severe but such a problem should be found easliy if the software is used a lot. So I checked popcon and just some 80 installations were reported. Sent an email to LTS list reporting this and suggested that we should instead mark lua-cgi as unsupported. Will check for replies.
  • Triaged rake and found that CVE-2020-8130 is easy to fix and potentially severe. Added to dla-needed.txt.
  • Started to triage libspring-java. Added it to dla-needed.txt with a note that the triaging is not complete but if other people have the time they can continue.
  • Some email correspondance on various matters.
  • Triaged python-bleach and concluded that CVE-2020-6802 is not a problem in jessie. The reason is that the vulnerable functionality does not exist in jessie. Marked it accordingly.
  • Triaged libgd2 and marked CVE-2017-6363 as ignored following Debian Security team.
  • Triaged pure-ftpd and concluded that is it vulnerable to CVE-2020-9274. The patch fix the issue but I would have removed one more assignment as it is overwritten a few lines after. Added the package to dla-needed anyway.
  • Triaged wireshark and marked three issues as postponed for jessie. They are about equally severe as other postponed issues. The issues do not have a CVE id yet.
  • Helped with some analysis of qemu vulnerabilities.
  • Triaged php5. Concluded that the three CVEs listed are also vulnerable in php5. The windows problem may not be an issue for Linux better fix it anyway to be on the safe side. Added to dla-needed.