Triage status for a few old packages
Hello Security Team,
There are a few packages that we intend to support in LTS, but whose
triage might be incomplete (missing CVEs).
We'd like to clarify the status of these packages in Debian and, if
additional triage is necessary, check how to best coordinate with you.
We're interested in particular in the following packages:
- python2.7: there are missing CVEs compared to python3.*;
python2.7 was referenced in security-support-limited (2020-11), and
marked obsolete in the bullseye release notes (2020-08), but there has
been some (partial) triage since then.
Example missing CVE: CVE-2022-45061
https://security-tracker.debian.org/tracker/source-package/python2.7
https://security-tracker.debian.org/tracker/source-package/python3.9
- gnupg1: there is no new CVE since 2019, but there are very few CVEs
assigned to gnupg2 so maybe it's an oversight.
Example missing CVE: CVE-2022-34903
https://security-tracker.debian.org/tracker/source-package/gnupg1
https://security-tracker.debian.org/tracker/source-package/gnupg2
- sqlite (v2.8): there's only a single CVE from 2007. Lots of CVEs only
apply to a subset of sqlite3 though, explaining part of the huge
difference between sqlite and sqlite3.
Example missing CVE: CVE-2020-35525
Note: we also seem to miss a few "SQLite in Google Chrome" CVEs in both
sqlite and sqlite3, which were only linked to chromium, e.g. CVE-2019-13752.
https://security-tracker.debian.org/tracker/source-package/sqlite
https://security-tracker.debian.org/tracker/source-package/sqlite3
(- I had also noted discrepancies in lua5*, but it appears all missing
CVEs are not-affected and implicitly triaged through non-association.)
Is Debian currently triaging (associating CVEs) for these packages?
(Or are they obsolete somehow?)
If they are not triaged and you do not wish to perform such triage,
would you mind if we do, and do you have recommendations so as to
respect each other's workflows?
Cheers!
Sylvain Beucler
Debian LTS Team
Reply to: