Re: CVE-2020-8859 for elog, should we support it?

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: CVE-2020-8859 for elog, should we support it?
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Tue, 17 May 2022 17:57:47 +0530
Message-id: <[🔎] CAPP0f94dddB7Q_CRCMAJYCq3X5i7yFFe=PwtzA79=Nf=-vJd0w@mail.gmail.com>
In-reply-to: <[🔎] CABY6=0=T1_jMwZXAmBDG69RyXFduUu6jTBe4z6iCB9+XJThjAw@mail.gmail.com>
References: <[🔎] CABY6=0=T1_jMwZXAmBDG69RyXFduUu6jTBe4z6iCB9+XJThjAw@mail.gmail.com>

Hi Ola,

On Tue, May 17, 2022 at 12:35 PM Ola Lundqvist <ola@inguza.com> wrote:
> While triaging today I noticed this rather old CVE. The elog package
> is clearly vulnerable (at least when looking through the source code).
> However I noticed that elog is removed (exists in buster and bullseye
> though) and it has a very low popcon score.
>
> Is it worth fixing?

I think this is a "<postponed> (Fix along with the next DLA)"
candidate. It doesn't appear to be severe to warrant a DLA
independently (unless I've overlooked something here).

> If not, we should say that this package is unsupported.

I don't think so. The only open CVE has a fix present. We should only
mark something as unsupported when there's a solid reason to, for
instance, the number of CVEs are too much with no or little
help/cooperation from upstream, et al, et al. In this case, I don't
think we should mark this as EOL yet.

- u

Reply to:

Follow-Ups:
- Re: CVE-2020-8859 for elog, should we support it?
  - From: Anton Gladky <gladky.anton@gmail.com>

References:
- CVE-2020-8859 for elog, should we support it?
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: fis-gtm and support?
Next by Date: Re: Question and proposed change for lts-cve-triage.py
Previous by thread: CVE-2020-8859 for elog, should we support it?
Next by thread: Re: CVE-2020-8859 for elog, should we support it?
Index(es):
- Date
- Thread