Debian Long Term Support work 2022 July

Work done this month:

  • Wrote a script to bulk add EOL entries for buster.
  • Using this script I wrongly marked the following as EOL. That was reverted. Due to this I initiated a discussion on what we should do as front desk right now. The answer was essentially nothing as front desk, but we can do things as regular contributors.
    • Marked 8 CVEs as EOL for ckeditor3 in buster [bin/lts-auto-eol ckeditor3 CVE-2014-5191 CVE-2018-17960 CVE-2021-26271 CVE-2021-33829 CVE-2021-37695 CVE-2021-41165 CVE-2022-24728 CVE-2022-24729]
    • Marked about 70 CVEs as EOL for gpac in buster [bin/lts-auto-eol gpac $(bin/ | grep gpac -A 68 | grep CVE | sed -e 's/.*- CVE/CVE/;s/ .*//;')]
    • Marked 3 CVEs as EOL for libspring-java in buster [bin/lts-auto-eol libspring-java $(bin/ | grep libspring-java -A 5 | grep CVE | sed -e 's/.*- CVE/CVE/;s/ .*//;')]
    • Marked 2 CVEs as EOL for node-tar in buster.
    • Marked 2 CVEs as EOL for node-url-parse in buster.
    • Marked 12 CVEs as EOL for nodejs in buster.
  • Added curl to dla-needed since it is in DSA needed and at least one vulnerability applies to buster as well.
  • Concluded that asterisk CVE-2022-24793 is not vulnerable in buster since the vulnerable code does not exist. The file is not even present.
  • Updated the script to make sure it checks for unsupported packages for buster instead of stretch. Pushed this change so future front desk will be less confused.
  • Added a note for CVE-2021-32686 for asterisk. It took some time to realize the package was vulnerable since pjproject is included as a packed file instad of unpacked source code.
  • Looking through issues "postponed" for buster. In fact marked as "no-dsa (minor issue)". Was not sure what to do so I compiled an email asking for advice.