[Git][security-tracker-team/security-tracker][master] Removed firmware-nonfree from dla needed. Marked the relevant CVEs as either...

Ola Lundqvist (@opal) opal at debian.org
Thu May 20 07:36:09 BST 2021 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
05d65275 by Ola Lundqvist at 2021-05-20T08:35:47+02:00
Removed firmware-nonfree from dla needed. Marked the relevant CVEs as either ignored (if linux package update is needed as well) or plain no-dsa in other cases. There is no plain to update buster for these issues and therefore there is no good reason for updating stretch as well. An update may very well be suitable at a later date when some other more pressing issue arise.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -78646,6 +78646,7 @@ CVE-2020-12364 (Null pointer reference in some Intel(R) Graphics Drivers for Win
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
 	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[stretch] - firmware-nonfree <ignored> (Minor issue, too intrusive to fix since kernel patch is needed)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch
@@ -78655,6 +78656,7 @@ CVE-2020-12363 (Improper input validation in some Intel(R) Graphics Drivers for
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
 	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[stretch] - firmware-nonfree <ignored> (Minor issue, too intrusive to fix since kernel patch is needed)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch
@@ -78664,6 +78666,7 @@ CVE-2020-12362 (Integer overflow in the firmware for some Intel(R) Graphics Driv
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
 	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[stretch] - firmware-nonfree <ignored> (Minor issue, too intrusive to fix since kernel patch is needed)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch
@@ -78760,6 +78763,7 @@ CVE-2020-12322 (Improper input validation in some Intel(R) Wireless Bluetooth(R)
 CVE-2020-12321 (Improper buffer restriction in some Intel(R) Wireless Bluetooth(R) pro ...)
 	- firmware-nonfree <unfixed>
 	[buster] - firmware-nonfree <no-dsa> (non-free not supported)
+	[stretch] - firmware-nonfree <no-dsa> (Minor issue, can be considered if some other major issue appear)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00403.html
 	NOTE: See notes for CVE-2020-12313
 CVE-2020-12320 (Uncontrolled search path in Intel(R) SCS Add-on for Microsoft* SCCM be ...)
@@ -78767,6 +78771,7 @@ CVE-2020-12320 (Uncontrolled search path in Intel(R) SCS Add-on for Microsoft* S
 CVE-2020-12319 (Insufficient control flow management in some Intel(R) PROSet/Wireless  ...)
 	- firmware-nonfree <unfixed>
 	[buster] - firmware-nonfree <no-dsa> (non-free not supported)
+	[stretch] - firmware-nonfree <no-dsa> (Minor issue, can be considered if some other major issue appear)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html
 	NOTE: See notes for CVE-2020-12313
 CVE-2020-12318 (Protection mechanism failure in some Intel(R) PROSet/Wireless WiFi pro ...)
@@ -78774,6 +78779,7 @@ CVE-2020-12318 (Protection mechanism failure in some Intel(R) PROSet/Wireless Wi
 CVE-2020-12317 (Improper buffer restriction in some Intel(R) PROSet/Wireless WiFi prod ...)
 	- firmware-nonfree <unfixed>
 	[buster] - firmware-nonfree <no-dsa> (non-free not supported)
+	[stretch] - firmware-nonfree <no-dsa> (Minor Issue, May be considered if some major issue appear)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html
 	NOTE: See notes for CVE-2020-12313
 CVE-2020-12316 (Insufficiently protected credentials in the Intel(R) EMA before versio ...)
@@ -78785,6 +78791,7 @@ CVE-2020-12314 (Improper input validation in some Intel(R) PROSet/Wireless WiFi
 CVE-2020-12313 (Insufficient control flow management in some Intel(R) PROSet/Wireless  ...)
 	- firmware-nonfree <unfixed>
 	[buster] - firmware-nonfree <no-dsa> (non-free not supported)
+	[stretch] - firmware-nonfree <no-dsa> (Minor Issue, May be considered if some major issue appear)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html
 	NOTE: Fixed firmware blobs:
 	NOTE: ibt-18-16-1.sfi: FW Build: REL17064 Release Version: 22.20.0.3


=====================================
data/dla-needed.txt
=====================================
@@ -36,13 +36,6 @@ condor
   NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
   NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
 --
-firmware-nonfree
-  NOTE: 20201207: wait for the update in buster and backport that (Emilio)
-  NOTE: 20210519: CVE-2020-1236[2,3,4] need a kernel patch to actually allow to
-  NOTE: 20210519: use the new firmware and that patch isn't present in 4.19 (and ofc also not in 4.9)
-  NOTE: 20210519: Kernel maintainers do not plan to update buster. They can accept an update in buster by the LTS team. (Ola)
-  NOTE: 20210519: Propose to not update the package due to the current issues. (Ola)
---
 golang-github-appc-cni (Thorsten Alteholz)
   NOTE: 20210517: still WIP, trying to automize golang updates
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d65275176dbc44d1fea51fb8aac7269c545374

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05d65275176dbc44d1fea51fb8aac7269c545374
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210520/f1081306/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list