On Tue, 17 May 2022 09:25:36 +0200 Ola Lundqvist <ola@inguza.com> wrote: > Hi again team > > Sorry for sending a lot of emails today but I need guidance from you. > > I have triaged the fis-gtm package. It has a large set of > vulnerabilities that can be considered rather severe. At least at > first glance. This votes for the package to be fixed. > > However the popcon score is very low. This votes for us to not > support it. > > What do you think? When I filed #1009900 for these CVEs, the issues all arose from fuzz testing and were not deemed to be exploitable. (Requiring local access and an ability to modify files). Also, the database format itself has changed in a non-backwards compatible way between the version currently in Debian (v6) and the latest upstream release (v7). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009900#19 As upstream have not (yet) provided specific commit references for any of the CVEs, I see no way to patch 6.3-014-3 in bullseye, 6.3-007-1 in buster or 6.3-000A-1 in stretch as the fixes have been applied upstream to the incompatible v7 format. Security Team haven't triaged fis-gtm for buster yet, I suspect that will get a <no-dsa> tag as the CVEs do not appear to be remotely exploitable, but check with Mortiz or Salvatore. fis-gtm isn't listed in packages-to-support for debian-lts, so it would not appear to be a candidate. -- Neil Williams ============= https://linux.codehelp.co.uk/
Attachment:
pgpanhMocRMbt.pgp
Description: OpenPGP digital signature