Debian Long Term Support work 2021 May


Work done this month:
  • Gone through a few of the packages to see what CVEs I have the competence to work on.
  • Work on CVE-2021-22876/curl supporting the update.
    • Reviewed the patch
    • Regression testing on a built package
    • Reproduced the issue
    • Verified that the fixed  package do indeed fix the problem
  • Initiated a discussion about go package support.
  • Initiated a discussion about firmware-nonfree support, resulting in an email to the package maintainers.
  • Check question on whether we should automate the detection of packages being higher revision in stretch than in buster. The conclusion was yes and I wrote such a script. The result was that four packages was found to have this problem.
  • Removed golang-gogoprotobuf from dla-needed and marked CVE-2021-3121 with no-dsa.
  • Updated information on firmware-nonfree status.
  • Removed firmware-nonfree from dla-needed with updated information in the related CVEs. Some are ignored while others are plain no-dsa.
    • CVE-2020-12313 CVE-2020-12319 CVE-2020-12321 no-dsa
    • CVE-2020-12362,3,4 ignored since linux patch is needed
  • Marked CVE-2021-30130 as not-affected, with a note, for stretch and removed *phpseclib from dla-needed file. Also sent an email about this.
  • Marked CVE-2020-35546 as no-dsa for stretch following decision for buster. Removed from dla-needed accordingly.
    • Investigated squid3 to check whether stretch is affected and it looks so even though source code has moved from one file to another.