Debian Long Term Support work 2021 April


Work done this month:
  • Gone through a few of the packages to see what CVEs I have the competence to work on.
  • Answered an email about CVE-2021-22876/curl. Claiming that this is not a vulnerability. If it is fixed it should have a configuration option because the behavior could be desirable and the risk of a successful attack with or without the correction should be the same. After more investigation the conclusion that a fix should be no problem but it should still be safe to ignore since the vulnerability is minor. On the other hand curl is a very popular package and also minor issues can be worth fixing.
  • Wrote a script that can check whether a list of packages is declared as end-of-life for some CVE.
  • Due to front-desk absense, I checked through the triage list to see that there is no major issue to handle. At least LTS is not worse than normal Debian security.
  • Investigated opendmarc:
    • CVE-2020-12460 Marked as no-dsa since it has been done for buster.
    • CVE-2020-12272 Keeping it open.
  • Continued to investigate the curl issue and reviewed the patch.