Re: fis-gtm and support?
Hi Neil, all
Thank you very much for this information.
Just a small note. LTS differs from ELTS in that LTS aim to support
all software in Debian, except the ones clearly documented as not
supported.
The packages-to-support is just an indication that these are the ones
the sponsors wants us to support. Unless this has changed and I had
missed that.
I'll triage the other packages and see if something more appear. Not
sure where to document this, apart from it being in thie email thread.
Cheers
// Ola
On Tue, 17 May 2022 at 10:05, Neil Williams <codehelp@debian.org> wrote:
>
> On Tue, 17 May 2022 09:25:36 +0200
> Ola Lundqvist <ola@inguza.com> wrote:
>
> > Hi again team
> >
> > Sorry for sending a lot of emails today but I need guidance from you.
> >
> > I have triaged the fis-gtm package. It has a large set of
> > vulnerabilities that can be considered rather severe. At least at
> > first glance. This votes for the package to be fixed.
> >
> > However the popcon score is very low. This votes for us to not
> > support it.
> >
> > What do you think?
>
> When I filed #1009900 for these CVEs, the issues all arose from fuzz
> testing and were not deemed to be exploitable. (Requiring local access
> and an ability to modify files). Also, the database format itself has
> changed in a non-backwards compatible way between the version currently
> in Debian (v6) and the latest upstream release (v7).
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009900#19
>
> As upstream have not (yet) provided specific commit references for any
> of the CVEs, I see no way to patch 6.3-014-3 in bullseye,
> 6.3-007-1 in buster or 6.3-000A-1 in stretch as the fixes have been
> applied upstream to the incompatible v7 format.
>
> Security Team haven't triaged fis-gtm for buster yet, I suspect that
> will get a <no-dsa> tag as the CVEs do not appear to be remotely
> exploitable, but check with Mortiz or Salvatore.
>
> fis-gtm isn't listed in packages-to-support for debian-lts, so it would
> not appear to be a candidate.
>
> --
> Neil Williams
> =============
> https://linux.codehelp.co.uk/
--
--- Inguza Technology AB --- MSc in Information Technology ----
| ola@inguza.com opal@debian.org |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
---------------------------------------------------------------
Reply to: