[Git][security-tracker-team/security-tracker][master] dla: drop replicated 'fields' from LTS packages database
Sylvain Beucler (@beuc)
beuc at debian.org
Sat Jun 3 19:24:22 BST 2023
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
80ece398 by Sylvain Beucler at 2023-06-03T20:22:55+02:00
dla: drop replicated 'fields' from LTS packages database
The fields are now displayed though the LTS 'find-work' script, to avoid duplication and de-sync issues.
Cf. http://meetbot.debian.net/debian-lts/2023/debian-lts.2023-05-25-13.58.html
Plans are underway to make the script public (issue 33).
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -5,6 +5,12 @@ The specific CVE IDs do not need to be listed, they can be gathered in an up-to-
https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE
when working on an update.
+When checking what packages to work on, use:
+$ ./find-work
+from the LTS admin repository, to sort packages by priority and
+display important notes about the package (special attention, VCS,
+testing procedures, programming language, etc.).
+
To work on a package, simply add your name behind it. To learn more about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
@@ -14,59 +20,46 @@ rather than remove/replace existing ones.
--
c-ares (gladk)
- NOTE: 20230523: Programming language: C.
- NOTE: 20230523: VCS: https://salsa.debian.org/lts-team/packages/c-ares.git
+ NOTE: 20230523: Added by Front-Desk
--
cairosvg
- NOTE: 20230323: Programming language: Python.
+ NOTE: 20230323: Added by Front-Desk
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
- NOTE: 20230519: VCS: https://salsa.debian.org/lts-team/packages/cairosvg.git
--
cinder
- NOTE: 20230525: Programming language: Python.
+ NOTE: 20230525: Added by Front-Desk
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
docker-registry
- NOTE: 20230525: Programming language: Go.
+ NOTE: 20230525: Added by Front-Desk
--
docker.io
- NOTE: 20230303: Programming language: Go.
+ NOTE: 20230303: Added by Front-Desk
NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
- NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
NOTE: 20230424: Is in preparation. (gladk)
--
erlang (Markus Koschany)
- NOTE: 20221119: Programming language: Erlang.
+ NOTE: 20221119: Added by Front-Desk
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
- NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang
- NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. Mail send to mailing list.
--
fusiondirectory (Abhijith PA)
- NOTE: 20221203: Programming language: PHP.
+ NOTE: 20221203: Added by Front-Desk
NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
NOTE: 20221203: Also the package was removed from sid recently (gladk).
NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git
NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith)
--
golang-go.crypto (Markus Koschany)
- NOTE: 20220915: Programming language: Go.
+ NOTE: 20220915: Added by Front-Desk
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
- NOTE: 20220915: Special attention: limited support, cf. buster release notes
- NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1
- NOTE: 20220915: Special attention: also check bullseye status
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-go.crypto.git
--
golang-yaml.v2 (sgmoore)
- NOTE: 20230125: Programming language: Go.
- NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git
- NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't).
+ NOTE: 20230125: Added by Front-Desk
NOTE: 20230525: In review with utkarsh.
--
hdf5
- NOTE: 20230318: Programming language: C/C++.
- NOTE: 20230318: VCS: https://salsa.debian.org/lts-team/packages/hdf5.git
+ NOTE: 20230318: Added by Front-Desk
NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)
NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
NOTE: 20230318: sync w/ him. (utkarsh)
@@ -78,26 +71,21 @@ hdf5
NOTE: 20230520: so giving up on the package. (tobi)
--
libcap2 (Abhijith PA)
- NOTE: 20230517: Programming language: C.
- NOTE: 20230517: VCS: https://salsa.debian.org/lts-team/packages/libcap2.git
+ NOTE: 20230517: Added by Front-Desk
--
libfastjson (Thorsten Alteholz)
- NOTE: 20230507: Programming language: C.
+ NOTE: 20230507: Added by Front-Desk
NOTE: 20230507: the CVE was fixed in json-c already
NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
--
libreoffice
- NOTE: 20230530: Programming language: C++.
- NOTE: 20230530: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git
+ NOTE: 20230530: Added by Front-Desk
--
linux (Ben Hutchings)
- NOTE: 20230111: Programming language: C
+ NOTE: 20230111: Added by Front-Desk
--
nova
- NOTE: 20230302: Programming language: Python.
- NOTE: 20230302: VCS: https://salsa.debian.org/openstack-team/services/nova
- NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/OpenStack.html
- NOTE: 20230302: Maintainer notes: Contact original maintainer: zigo.
+ NOTE: 20230302: Added by Front-Desk
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
@@ -109,60 +97,52 @@ nova
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
nvidia-cuda-toolkit
- NOTE: 20230514: Programming language: binary blobs.
+ NOTE: 20230514: Added by Front-Desk
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
--
openimageio (gladk)
- NOTE: 20230406: Programming language: C.
- NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git
+ NOTE: 20230406: Added by Front-Desk
NOTE: 20230508: WIP
--
openjdk-11 (Emilio)
- NOTE: 20230419: Programming language: Java.
- NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git
+ NOTE: 20230419: Added by Front-Desk
NOTE: 20230522: waiting for sid/bullseye update (pochu)
--
openssl (Sylvain Beucler)
- NOTE: 20230531: Programming language: C.
- NOTE: 20230531: VCS: https://salsa.debian.org/debian/openssl.git
- NOTE: 20230531: Special attention: Very high popcon!.
+ NOTE: 20230531: Added by Front-Desk
NOTE: 20230531: also handle no-dsa issues (pochu)
--
owslib (Adrian Bunk)
- NOTE: 20230514: Programming language: Python.
- NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git
+ NOTE: 20230514: Added by Front-Desk
NOTE: 20230514: also in dsa-needed. (utkarsh)
--
php-cas
- NOTE: 20221105: Programming language: PHP.
+ NOTE: 20221105: Added by Front-Desk
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: a DSA is planned (Beuc/front-desk)
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
--
python-glance-store
- NOTE: 20230525: Programming language: Python.
+ NOTE: 20230525: Added by Front-Desk
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-os-brick
- NOTE: 20230525: Programming language: Python.
+ NOTE: 20230525: Added by Front-Desk
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-oslo.privsep
- NOTE: 20221231: Programming language: Python.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
+ NOTE: 20221231: Added by Front-Desk
NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity.
NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue.
--
python3.7 (Adrian Bunk)
- NOTE: 20230220: Programming language: C, Python.
- NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git
- NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
+ NOTE: 20230220: Added by Front-Desk
NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
--
rails
+ NOTE: 20220909: Added by Front-Desk
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
@@ -172,50 +152,39 @@ rails
NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith)
NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea
NOTE: 20221024: to break thrice in less than 2 month.
- NOTE: 20221209: Programming language: Ruby.
- NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/rails.html
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rails.git
--
ring (Thorsten Alteholz)
- NOTE: 20221120: Programming language: C++.
- NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git
+ NOTE: 20221120: Added by Front-Desk
NOTE: 20230507: testing package
NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing
--
ruby-loofah
- NOTE: 20221231: Programming language: Ruby.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git
+ NOTE: 20221231: Added by Front-Desk
NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby)
NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert)
--
ruby-rails-html-sanitizer
- NOTE: 20221231: Programming language: Ruby.
- NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
+ NOTE: 20221231: Added by Front-Desk
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
--
ruby2.5 (Chris Lamb)
- NOTE: 20230602: Programming language: C, Ruby.
+ NOTE: 20230602: Added by Front-Desk
NOTE: 20230602: look at no-dsa issues (pochu)
--
salt
- NOTE: 20220814: Programming language: Python.
+ NOTE: 20220814: Added by Front-Desk
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
- NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git
--
samba (Lee Garrett)
- NOTE: 20220904: Programming language: C.
- NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
- NOTE: 20220904: Special attention: High popcon! Used in many servers.
+ NOTE: 20220904: Added by Front-Desk
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
--
webkit2gtk (Emilio)
- NOTE: 20230512: Programming language: C++.
- NOTE: 20230512: VCS: https://salsa.debian.org/webkit-team/webkit.git
+ NOTE: 20230512: Added by Front-Desk
NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu)
NOTE: 20230529: made some progress on the backport, but there are still some blockers,
NOTE: 20230529: particularly around (the lack of) C++20 support. (pochu)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80ece398af9bce94d1e7adf9dbe9300558308800
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80ece398af9bce94d1e7adf9dbe9300558308800
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230603/6fbb366d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list