Debian Long Term Support work 2021 June


Work done this month:
  • Worked on qemu and concluded that no update is necessary. Removed from dla-needed.txt.
    • CVE-2021-3607 and 3608 - Not affected since the vulnerable code does not exist.
    • CVE-2021-3592, 3593, 3594 and 3595 - Marked no-dsa following buster.
    • CVE-2021-3582 - Not affected since the vulnerable code does not exist.
  • Re-added the no-dsa decision for LTS golang-gogoprotobuf CVE-2021-3121. It was previously marked for jessie which was not the intention.
  • Helped with triaging the golang-* packages. The conclusion is that we have denial of service and crash issues but only in -dev packages and this means that application must be rebuilt as well. Debian do not ship any such application.
  • Triaged mapcache for stretch following no-dsa decision for buster.
  • Triage result for golang packages in stretch. Marked all issues for golang-1.8, golang-x-text and golang-golang-x-net-dev as no-dsa since it is not in packages to support list and golang support is very limited in stretch and buster. Added golang-1.7 to the dla-needed since it is in fact in packages to support but with a note that it should be checked further.
  • Further checked firmware nonfree. The conclusion is thar firmware-nonfree does not contain the vulnerable source. Instead the code is in the linux source. Applies to CVE-2020-24586 CVE-2020-24587 and CVE-2020-24588.
  • Reverted the conclusion on firmware-nonfree. This was a conclusion made on a wrong assumption.