Debian Long Term Support work 2023 April

Work done this month:

  • Triaged sqlite3 and concluded that it was fixed in upstream before uploaded for buster.
  • Added openvswitch to dla-needed since the package has already been fixed in bullseye and it is clearly vulnerable. Made a typo but that was corrected.
  • Triaged the following packages and marked them as no-dsa following the decision for bullseye.
    • mediawiki - CVE-2023-29141
    • node-xml2js - CVE-2023-0842
    • pdns-recursor - CVE-2023-26437
    • python-future - CVE-2022-40899
    • ruby-commonmarker - CVE-2023-22483 CVE-2023-22484 CVE-2023-22485 CVE-2023-22486 CVE-2023-24824 CVE-26485
    • qemu - CVE-2023-1544
    • tiff - CVE-2023-30774
    • sgt-puzzles
    • php-guzzlehttp-psr7 - CVE-2023-29197 - This is a little stronger than bullseye since it was said to be fixed in a point release but the decision here is to not fix at all.
  • Triaged heat package and concluded that CVE-2023-1625 must be considered as a minor issue. It is only a information leak vulnerability with fairly low impact and it is to authenticated users and in addition to that the popcon score tells that the package is maybe installed like two times.
  • Triaged angular.js package but was not sure how to treat these three vulnerabilities CVE-2023-26116 ... 118. DoS on client side. A few thousand installations. Maybe it should be added to dla-needed. Waits a few more days.
  • Triaged avahi and concluded that a DoS vulnerability on such a popular package must be important to fix and therefore added to dla-needed.
  • Triaged connman and concluded that the package is vulnerable and it should warrant an update so added to dla-needed.
  • Triaged frr package and concluded that it does not need to be fixed. There are many other vulnerabilities to this package that is far more problematic than a reachable assertion. So marked as no-dsa.
  • Added openjdk-11 to dla-needed sice it is in dsa-needed and little information is available, meaning it is hard to check if the problem is in buster or not.
  • Added wireshark to dla-needed since similar problems have been fixed in the past.
  • Added redis to dla-needed. It is a popular package and even though you need to be authenticated, if there are multiple users one user can destroy for the other ones. So should be updated to be on the safe side.
  • Started to triage stellarium. Will continue tomorrow.
  • Added jackson-databind to dla-needed.
  • Marked CVE-2021-28235 as no-dsa for package etcd in buster since the issue only occur with debug enabled.
  • Triaged mootools CVE-2021-32921 and marked as no-dsa for buster since the impact is low. Upstream has considered the impact too low to fix it.
  • Triaged nbconvert CVE-2021-32821 and it may be worth to fix. Further analysis on whether this require more work on the user side needs to be done later.
  • Started to triage nextcloud-desktop. According to the description (most?) of the CVEs are not in buster but that could potentially be because they have not checked 2.x branch. Will check further. ... After source code analysis it is clear that CVE-2023-298997 through CVE-2023-29000 applies to pre 3.0 version even though the text tells something else. In any case the severity is similar to many other issues in nextcloud-desktop and they were marked as no-dsa with motivation minor issue. Doing the same for these CVEs as well.
  • "Marked imagemagick CVE-2023-1906 as no-dsa for buster since it is
    a denial of service vulnerability and this follows the practice for other vulnerabilities of this kind for this package.
  • Marked slic3r CVE-2022-36788 as no-dsa for buster. Fail to see that a generator tool for 3D printers needs to be fixed.
  • Added sniproxy to dla-needed. Arbitrary code execution is a severe issue. Only 22 users according to popcon though. As long as the package is supported it should be fixed though.
  • Added epiphany-browser to dla-needed.
  • Triaged a few more packages but due to lack of information could not determine anything useful.