Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In October, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 22.75h for LTS (out of 30 max) and 20h for ELTS (max).

There was a bit of backlog during my LTS triage week and for once I didn't make a pass at classifying old undetermined issues.

MITRE was responsive for public (non-embargoed) issues in common free software packages, when I submitted new references or requested a CVE to identify known issues. There was more ball passing and delays when there was an another CNA (CVE Numbering Authorities).

Interestingly some issues were not fixed in LTS due to them being marked 'ignored' in later distros (sometimes, regrettably, with no clear rationale), as this means there would be a regression when upgrading. It's probably worth I check on my past security uploads to see if such as discrepancies appeared (this month's nfs-utils comes to mind, I'll re-offer a oldstable/stable upload next month).

Ubuntu recently started a post-LTS extended security support as well, with private updates. For now it's not clear whether we can get access to ease cooperation.

The last uploads I did took me some more hours than expected, so I'm a bit over my time - that means I have a few hours in advance for next month (not accounted for above).

ELTS - Wheezy

  • CVE-2019-16928/exim4: triage: not-affected
  • CVE-2019-15165/libpcap: security upload
  • libpcap: triage: other vulnerabilities not-affected
  • CVE-2019-3689/nfs-util: proposed patch and testing procedure to upstream and sid/salsa, ping, security upload
  • CVE-2019-3689/nfs-util: update security tracker: proposed fs.protected_symlinks mitigation is not valid as /var/lib/nfs has no sticky-bit; coordinate with MITRE and SuSE to update CVE
  • CVE-2019-17041,CVE-2019-17042/rsyslog: security upload, clarify triage description
  • CVE-2019-17040/rsyslog: triage: not-affected
  • CVE-2019-14287/sudo: request backport to maintainer, security upload
  • CVE-2019-17544/aspell: security upload
  • CVE-2019-11043/php5: security upload, provide feedback about applicability to cgi
  • CVE triage week part 1
    • CVE-2019-13464/modsecurity-crs: triage: not-affected (affected rules is not present)
    • CVE-2019-14847,CVE-2019-14833/samba: triage: not-affected
    • CVE-2019-10218/samba: triage: affected
    • CVE-2019-14866/cpio: triage: affected
    • CVE-2018-21029/systemd: triage: not-affected

LTS - Jessie

  • Front-Desk week
    • firefox: ping i386 build status following user request
    • CVE-2019-3689/nfs-utils: triage: affected
    • CVE-2019-16723/cacti: triage: affected
    • CVE-2019-16892/ruby-zip: triage: postponed (minor issue, fix is zip bomb mitigation not enabled by default)
    • CVE-2018-21016,CVE-2018-21015/gpac: triage: postponed (minor issue, local DoS)
    • CVE-2019-13376/phpbb3: triage: reference fixes, request CVE for prior incomplete CSRF fix (SECURITY-188), fix-up confusion following that
    • CVE-2018-20839/xorg-server: re-triage: clarify and mark for later fix
    • CVE-2019-13504/exiv2: update: reference missing patch, check that it's not needed for jessie
    • CVE-2019-14369,CVE-2019-14370/exiv2: triage: not-affected
    • CVE-2019-11755/thunderbird: triage: affected
    • CVE-2019-16370,CVE-2019-15052/gradle: triage: postponed (old gradle mainly used for build Debian packages in restricted environment)
    • CVE-2019-12412/libapreq2: triage: affected
    • CVE-2019-0193/lucene-solr: triage: affected; research commit for actual fix
    • CVE-2019-12401/lucene-solr: triage: affected; issue potentially in dependencies
    • CVE-2017-18635/novnc: triage: affected
    • CVE-2019-16239/openconnect: triage: affected
    • CVE-2019-14491,CVE-2019-14492,CVE-2019-14493/opencv: triage: postponed (DoS, PoC not crashing)
    • CVE-2019-14850,CVE-2019-14851/nbdkit: triage: ignored (DoS/amplification for specific configuration, non-trivial backport, low popcon)
    • CVE-2019-16910/polarssl: triage: affected, locate and reference patch
    • CVE-2019-16276/golang: triage: affected; later marked ignored, clarify that it's for consistency with later distros
    • CVE-2019-10723/libpodofo: revisit my early triage: ignored->postponed (minor but easy to add in later security upload)
    • DSA 4509-2/subversion: triage: not-affected
    • CVE-2019-8943/wordpress: triage: add precisions
    • CVE-2019-12922/phpmyadmin: triage: postponed (minor issue, unlikely situation); reference patch, reference patch at MITRE, mark unfixed
    • CVE-2019-16910/polarssl: reference patch at MITRE
    • CVE-2019-10219/libhibernate-validator-java: triage: no changes (still no clear information nor patch)
    • CVE-2019-11027/ruby-openid: triage: no changes (still no clear information nor patch)
    • CVE-2019-3685/osc: triage: no changes, report bug to packager, reference BTS
    • CVE-2019-1010091/tinymce: triage: ignored (questionable self-xss)
    • CVE-2019-16866/unbound: triage: not-affected
    • tcpdump,libpcap: triage: affected
    • CVE-2018-16301/libpcap: triage: asked upstream for commit, conclude duplicate, relay info to MITRE (not clear enough for them to mark duplicate AFAICS)
    • CVE-2019-14553/edk2: triage: end-of-life (non-free)
    • CVE-2019-9959/poppler: triage: affected
    • CVE-2019-10871/poppler: triage: cancel postponed (new upstream fix)
    • Remove remaining "not used by any sponsor" justification for Jessie LTS (one left-over from April clean-up)
  • CVE-2019-14287/sudo: security upload
  • CVE-2019-3689/nfs-utils: security upload
  • CVE-2019-11043/php5: security upload

Documentation/Scripts

  • Development: add reminder to add package short description / context in security announcements, some team members tend to forget it (myself included)
  • ampache: provide feedback about maintaining support
  • libclamunrar: provide feedback about dropping support