[Debian-med-packaging] Bug#1009900: fis-gtm: Multiple CVEs in fis-gtm

Andreas Tille tille at debian.org
Thu Apr 21 08:20:58 BST 2022


Hi Amul,

in addition to Neil's answer I have the following remarks:

Am Wed, Apr 20, 2022 at 07:55:02PM +0000 schrieb Shah, Amul:
> Hi Andreas,
> In FIS's opinion, the CVE references are not actionable. One must have host access and the ability to modify application source files. Those users are typically database/systems administrators or a MUMPS application developer. We expect that only privileged users have direct access to the host with the application gating access to external users. By itself, GT.M does not confer any extra privileges.
> 
> How long we have to address these CVEs? If immediate, I can back-patch the specific fixes that address the CVEs. I say back patch because V6.3-014 was the last V6 version with a V6 block format database.

I think if this will be the latest V6 version that should be released to
the users than it makes sense to backport the fixes.

> The current V7 GT.M versions do not have an upgrade path to the V7 block format. We do not want to release a GT.M version to debmed without such an upgrade feature. If there is time, then we are working a V7 version with the V6 to V7 block upgrade capability and would like to release that.

I noticed that there is V7 and I think we should work on this until
end of summer.  It has to pass new queue and migrate to testing until
end of the year if it should be part of the next stable release.

Kind regards

       Andreas.

-- 
http://fam-tille.de



More information about the Debian-med-packaging mailing list