LTS report for May 2019 - Abhijith PA

To: Debian LTS <debian-lts@lists.debian.org>
Subject: LTS report for May 2019 - Abhijith PA
From: Abhijith PA <abhijith@disroot.org>
Date: Mon, 3 Jun 2019 16:10:33 +0530
Message-id: <[🔎] c7151a83-ac2f-7e20-4281-a1e2ad059301@disroot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

May 2019 was my 16th month as a Debian LTS paid contributor. I was
assigned 14 hours plus 10 hours carried from last month. I spent 17
hours for the following.

 * jruby: was FTBFS for long time in jessie due to openjdk security
   uploads. Able to find an old patch[1] from openjdk mailing list to
   fix FTBFS. Marked CVE-2018-1000073 as not-affected and fixed
   remaining 10 vulnerabilities and issued dla[2] (CVE-2018-1000074
   CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078
   CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
   CVE-2019-8325)

 * tomcat7: CVE-2019-0221 is a very minor issue. tomcat7 was FTBFS in
   jessie similar to jruby. Fixed,tested and released dla[3]

 * wordpress: Two RCE vulnerabilities CVE-2019-8942 & CVE-2019-8943 were
   published by Ripstech. CVE-2019-8942 fixed in the last update of
   wordpress (previous month) though CVE-2019-8943 kept as it is. The
   4.1.x branch in jessie getting  updates[4] for it in every 4,5
   months upstream. If new update come for CVE-2019-8943 it will be
   backported. Though with CVE-2019-8942 fix, CVE-2019-8943 is non-
   exploitable[5] to an extend as former plays an important role.

 * ruby-omniauth: CVE-2015-9284 haven't fixed upstream. The rails
   community created a new gem omniauth-rails_csrf_protection[6] to
   address this issue. This vulnerability is actively being discussed in
   its github issue[6]. I don't see any meaningful reverse dependency
   for ruby-omniauth in jessie. So it has less priority for now.

 * tomcat8: is also affected by CVE-2019-0221 and is currently in FTBFS
   due to couple of test failures. Started investigating that and will
   upload in coming days.



Regards
Abhijith PA

[1] -
https://github.com/jruby/jruby/commit/e9a01086b0c6e37762628806854ca9b28e6f5540

[2] - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
[3] - https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
[4] - https://wordpress.org/download/releases/
[5] -
https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-wordpress-remote-code-execution-vulnerabilities-cve-2019-8942-and-cve-2019-8943/
[6] - https://github.com/cookpad/omniauth-rails_csrf_protection

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlz0+RoACgkQhj1N8u2c
KO/RLA/9H7QI3sUTSi1FwbdW1ArKAVZpZnjSh1lGvI5P+x/DhFL66GpWtgbhW3/4
q6YWhKvPcgb3+OXZsz1PIOu8/aMcA4tCi+FCmjfV4gPrCqhafpmPOXJ6+XY4kyJG
w4yNPq7ap85TcXVQJJ15X2aR560BkEefx7b3e8TTnC/d8jjvO4cx+6yCsX4k9C8Z
2opgp9+fIX0+78Dz1U1M2ha+uka33gHnrLnPNr3E+eTYSa6B8084Hn2GcFF7Z6Y1
ogLLd6SWkZZDxuYJ/ZEPbKOES1pIobIMnP0X2vdfyGlZ5RUoMyiDsIcqKV8xGB4r
MEVbB2UfgNehbfD8QggfhGNHumOZ5LSWkp+98XlWN7cYZ/JSgoVqX03zKtl992PT
Z7e/xIOYyYmm5T/SWjf4ROQwOu2MA6Hv85j0tlhileXflIbq1tfQAa/cdtDey8W0
rx6DsfPfVADytT7omRPwXm7OrkRqynFkbUlxCIEM2yGtkiymtSQuz0MEKiSZd8e3
+QmFblBI65Kz2y1tEOuk4ZR9eMyeq25JSuMhrKZlzZ/ruKj/6Lh05qjsBMI/xSjd
3np4Xp7hBisCkdRycxeuJ/ieCPhjj73AsqNe0iQIPsk0bpXS8NYeqiHSpgZmy94B
uww3y0CnAnLytMG/iT5HbtNHfhPCKq1fGcRU3ETreh3qa9W6oM0=
=alT6
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by Date: Re: RFC: remaining CVEs on libspring-java
Previous by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Next by thread: (E)LTS report for May
Index(es):
- Date
- Thread