Inguza Technology AB

technology, analysis and solutions

Debian Long Term Support work 2020 September

The following contributions were made:

  • Working on fixes for ceph. Had build issues due to the extreme disk usage for the build. Were able to free up some 50G of disk space that is required for this build. Starting to realize that I may not be able to test the update but one problem at a time. Was able to complete the following:
    Packages available in http://apt.inguza.net/stretch-lts/ceph/
    • CVE-2018-16889 - the code is different so the patch does not apply cleanly. The code is still vulnerable. Patch prepared. But it fails to build... so excluding it since including it is rather lot of work. The functions used must be ported too.
    • CVE-2020-1760 - patch applied but it did not build. Had to adjust it according to how the jessie version update was made to make it build.
    • CVE-2020-10753 - patch applied
    • CVE-2018-16846 - patch prepared but it had to be adjusted some in order to build.
    • CVE-2018-14662 - patch prepared
  • Sent an email about testing of ceph.
  • Investigated CVE-2019-11841 for golang-go.crypto and expressed my opinion on what a real fix would be. However a full fix cannot be done without an API change.
  • Decided to mark CVE-2019-17178 as no-dsa for freerdp. The motivation is that similar vulnerabilities was marked the same. For example CVE-2019-17177.