Re: fis-gtm and support?

To: Neil Williams <codehelp@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: fis-gtm and support?
From: Ola Lundqvist <ola@inguza.com>
Date: Tue, 17 May 2022 13:26:27 +0200
Message-id: <[🔎] CABY6=0=Attt7KAx_fot7Z-_a9wkGT0qv=eRqQggU58SKv_dJgw@mail.gmail.com>
In-reply-to: <[🔎] 20220517090528.3b02ab9f@felix.codehelp>
References: <[🔎] CABY6=0kmy9eC_Rs6JZ3z=rsG-zmLJPYip3MBaJr_V4KX5jOuiQ@mail.gmail.com> <[🔎] 20220517090528.3b02ab9f@felix.codehelp>

Hi Neil, all

Thank you very much for this information.

Just a small note. LTS differs from ELTS in that LTS aim to support
all software in Debian, except the ones clearly documented as not
supported.
The packages-to-support is just an indication that these are the ones
the sponsors wants us to support. Unless this has changed and I had
missed that.

I'll triage the other packages and see if something more appear. Not
sure where to document this, apart from it being in thie email thread.

Cheers

// Ola


On Tue, 17 May 2022 at 10:05, Neil Williams <codehelp@debian.org> wrote:
>
> On Tue, 17 May 2022 09:25:36 +0200
> Ola Lundqvist <ola@inguza.com> wrote:
>
> > Hi again team
> >
> > Sorry for sending a lot of emails today but I need guidance from you.
> >
> > I have triaged the fis-gtm package. It has a large set of
> > vulnerabilities that can be considered rather severe. At least at
> > first glance. This votes for the package to be fixed.
> >
> > However the popcon score is very low. This votes for us to not
> > support it.
> >
> > What do you think?
>
> When I filed #1009900 for these CVEs, the issues all arose from fuzz
> testing and were not deemed to be exploitable. (Requiring local access
> and an ability to modify files). Also, the database format itself has
> changed in a non-backwards compatible way between the version currently
> in Debian (v6) and the latest upstream release (v7).
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009900#19
>
> As upstream have not (yet) provided specific commit references for any
> of the CVEs, I see no way to patch 6.3-014-3 in bullseye,
> 6.3-007-1 in buster or 6.3-000A-1 in stretch as the fixes have been
> applied upstream to the incompatible v7 format.
>
> Security Team haven't triaged fis-gtm for buster yet, I suspect that
> will get a <no-dsa> tag as the CVEs do not appear to be remotely
> exploitable, but check with Mortiz or Salvatore.
>
> fis-gtm isn't listed in packages-to-support for debian-lts, so it would
> not appear to be a candidate.
>
> --
> Neil Williams
> =============
> https://linux.codehelp.co.uk/



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to:

References:
- fis-gtm and support?
  - From: Ola Lundqvist <ola@inguza.com>
- Re: fis-gtm and support?
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: Re: [SECURITY] [DLA 3012-1] libxml2 security update
Next by Date: Re: CVE-2020-8859 for elog, should we support it?
Previous by thread: Re: fis-gtm and support?
Next by thread: gpac end-of-life in stretch (and recommendation for buster/bullseye)
Index(es):
- Date
- Thread