Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 June

The following contributions were made:

  • Expressed opinion about jquery update.
  • Security correction for alpine and CVE-2020-14929 including all the steps. Noted (after fix was uploaded) that it is marked as no dsa in stretch and buster. It should be fixed at least when stretch reach LTS.
  • Answered/commented on a question on what we should do with DLA needed list.
  • Was about to claim bison but instead concluded that a command line crash is really not worth fixing in stretch. Instead marked CVE-2020-14150 as no-dsa and removed the package from dla-needed file.
  • Started working on a correction for drupal7. Backport of correction from stretch.¬†CVE-2020-13663 (SA-CORE-0004) applied. Installed a fresh LXC container to test it in. Installation worked fine and unit testsing shows just as many faults as the most recent package.
  • Started working on a correction for pound. Backport of correction for stretch. Got good information from Salvatore. It looks like this issue (CVE-2018-21245) was already corrected with the fix for CVE-2016-10711. It is not entirelly clear why a second CVE was created for the same issue. After a double-check I concluded that this is the case and no correction is needed since the problem is already fixed.
  • Sent a question on the most efficient way to rebase a forked repo.