Debian Long Term Support work 2023 November

  • Added strongswan to dla-needed. It has been fixed for stable and has a potential for┬áremote arbitrary code execution.
  • Added firefox-esr to dla-needed. Already fixed in bullseye.
  • Added thunderbird to dla-needed. Same problems as in firefox-esr and firefox-esr has already been fixed in bullseye.
  • Marked the following CVEs as no-dsa following decision for bullseye.
    • CVE-2022-46337
    • CVE-2023-48161
    • CVE-2023-46445
    • CVE-2023-46446
    • CVE-2016-1243
    • CVE-2016-1244
    • CVE-2023-40030
  • Started to sort out whether gimp-dds should be fixed or not. Not that easy to conclude. Will continue.
  • Added tinymce to dla-needed.
  • Analyzed httpie. It is not clear if there is a vulnerability. When the tool is tested the verification works. It is not clear from the description what kind of verification is missing. It points to two things:
    • No verification when fetching the package version data for httpie itself. This can be considered minor.
    • Disabled warnings in client.py. Here it claims that it disables validation but it seems to work fine when tested. This should be investigated further.
  • Marked snort CVE-2023-20246 as not-affected for buster since only 3.x versions are affected. This applies to all Debian releases, but I'm letting the regular security team to do that work.
  • Marked CVE-2023-49208 as not affected for buster.
  • Investigated bouncycastle a little. DoS class vulnerability. The question is whether it is important enough or not. It depends on what it is used for. Will continue analysis.
  • Postponed 5 CVEs for freeimage following decision for bullseye.