script to review no-dsa packages fixed in LTS-1 and TLS+1
Hi,
During an IRC meeting, Thorsten mentioned that he had noticed some packages that
had been fixed in stretch and wheezy-elts, but not in jessie (this was before the
jessie EOL), and that had been marked as no-dsa in jessie. Since the package had
been fixed in the previous and next releases, it made sense to re-review the reason
for that no-dsa tag, which might have been obsolete.
I've worked on a script to find these cases so they can be reviewed. It doesn't
consider packages that have been fixed in lts+1 via unstable, but only those that
have been explicitly fixed there via DSA or point release. I could change that, but
for now there's enough CVEs to review so let's start with that.
If you find any false positive please let me know. Obviously there's no rush in
triaging all of these this close to a point release, but I'm sending it anyway so
you can give some feedback.
Here's what I'm currently getting:
emilio@andromeda:~/deb/lts/security-tracker$ ./bin/lts-no-dsa-needs-review.py data/security.db
CVE-2019-9948/python2.7 fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-9947/python2.7 fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-9740/python2.7 fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-16056/python2.7 fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2018-20852/python2.7 fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-11187/gosa fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-12838/slurm-llnl fixed in jessie and buster but no-dsa in stretch (Too intrusive to backport)
CVE-2019-5068/mesa fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2020-1712/systemd fixed in jessie and buster but no-dsa in stretch (Can be fixed via point release)
CVE-2020-8130/rake fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2016-10894/xtrlock fixed in jessie and buster but no-dsa in stretch (Minor issue; can be fixed via point release)
CVE-2020-3898/cups fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-8842/cups fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2020-5267/rails fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-16275/wpa fixed in jessie and buster but no-dsa in stretch (Minor issue; can be fixed via point release)
CVE-2020-8518/php-horde-data fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-3866/mistral fixed in jessie and buster but no-dsa in stretch (Minor issue; can be fixed via point release)
CVE-2019-15941/lemonldap-ng fixed in jessie and buster but no-dsa in stretch (Restrictions on OIDC federation added in 2.0)
CVE-2019-9658/checkstyle fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2020-3123/clamav fixed in jessie and buster but no-dsa in stretch (ClamAV is updated via -updates)
CVE-2020-0009/linux fixed in jessie and buster but no-dsa in stretch (Driver is not enabled or supported)
CVE-2020-1711/qemu fixed in jessie and buster but no-dsa in stretch (Intrusive to backport, revisit later)
CVE-2019-5008/qemu fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-12068/qemu fixed in jessie and buster but no-dsa in stretch (Minor issue, can be fixed along in future update)
CVE-2019-3866/python-oslo.utils fixed in jessie and buster but no-dsa in stretch (Minor issue; can be fixed via point release)
CVE-2020-8866/php-horde-form fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-9371/libvpx fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-13464/modsecurity-crs fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2020-8865/php-horde-trean fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-9892/otrs2 fixed in jessie and buster but no-dsa in stretch (Non-free not supported)
CVE-2019-9751/otrs2 fixed in jessie and buster but no-dsa in stretch (Non-free not supported)
CVE-2019-10067/otrs2 fixed in jessie and buster but no-dsa in stretch (Non-free not supported)
CVE-2019-20788/libvncserver fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-15690/libvncserver fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-11729/nss fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-11719/nss fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-12900/bzip2 fixed in jessie and buster but no-dsa in stretch (Not exploitable; potential dangerous parts already guarded)
CVE-2019-19949/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-15139/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-14981/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-13297/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-13295/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-13135/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-12974/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-11598/imagemagick fixed in jessie and buster but no-dsa in stretch (Fix along in next DSA)
CVE-2019-11597/imagemagick fixed in jessie and buster but no-dsa in stretch (Fix along in next DSA)
CVE-2019-11470/imagemagick fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2020-9402/python-django fixed in jessie and buster but no-dsa in stretch (Can be fixed along in a future DSA)
CVE-2019-12827/asterisk fixed in jessie and buster but no-dsa in stretch (Minor issue)
CVE-2019-5188/e2fsprogs fixed in jessie and buster but no-dsa in stretch (Minor issue)
Cheers,
Emilio
Reply to: