Debian Long Term Support work 2023 February

Work done this month:

  • Triaged git since it was already added to dsa-needed. Concluded that it should be fixed in buster too so added it to dla-needed.
  • Triaged resteasy3.0 and concluded that the verdict for CVE-2023-0482 as no-dsa holds for buster too.
  • Triaged php7.3 and concluded that the three CVEs are a problem. The question is whether they warrant a DLA. Will check again tomorrow. It is not super urgent at least. Later the week concluded that it should be fixed since a DSA was made for php7.4.
  • Triaged python3.7 and concluded that it is worth fixing. Added to dla-needed.
  • Triaged mariadb-10.3. It does not look severe but will re-visit it later this week to see what debian security team concluded. Later in the week concluded that a DSA was created for mariadb-10.5 so added mariadb-10.3 to dla-needed.
  • Triaged tiff since it was already added to dsa-needed. Concluded that it should be fixed in buster too so added it to dla-needed.
  • Marked CVE-2023-24998 (libcommons-fileupload-java) as no-dsa following decision for bullseye.
  • Marked CVE-2021-32142 (libraw) as no-dsa following decision for bullseye.
  • Triaged binwalk and concluded that CVE-2022-4510 should be fixed so adding the package to dla-needed.
  • Triaged mono. After some investigations I decided to add to dla-needed with two notes. One that it is postponed in bullseye and the other note that it requires further investigation. Why do defining a desktop link cause this security problem.
  • Started to triage emacs. It looks important but will revisit tomorrow. Next day it was clear that it was added to dsa-needed and so added to dla-needed since I had already considered it as important.
  • Triaged libgit2. CVE-2023-22742 is not important. I would even argue that if a callback is not defined it is expected behavior. CVE-2022-12278 and CVE-2020-12279 only occur on NTFS filesystem so following old decision from jessie.
  • Triaged mruby and marked CVE-2021-46023 as no-dsa for buster following decision for bullseye.
  • Triaged jquery-minicolors and marked CVE-2021-32850 as no-dsa for buster following decision for bullseye.
  • Triaged glusterfs and marked CVE-2022-48340 and CVE-2023-26253 as no-dsa for buster following decision for bullseye.
  • Triaged nethack. CVE-2023-24809 marked as no-dsa as it is a minor issue.
  • Triaged syslog-ng and it sounds severe enough for a fix so added to dla-needed with a note that patches are not available yet and therefore we cannot fully determine whether the problem is actually applicable to buster.