Re: Triage status for a few old packages

To: Sylvain Beucler <beuc@beuc.net>
Cc: Debian Security Team <team@security.debian.org>, jmm@debian.org, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Triage status for a few old packages
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 12 Apr 2023 22:58:15 +0200
Message-id: <[🔎] ZDcbZ7mmBKlBT4hG@eldamar.lan>
Mail-followup-to: Sylvain Beucler <beuc@beuc.net>, Debian Security Team <team@security.debian.org>, jmm@debian.org, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] 62b4bc03-19f8-77d7-a5da-ddf5ac8b699c@beuc.net>
References: <7c3cf34d-aded-11fb-5aa9-99db8333c562@beuc.net> <[🔎] ZCiGoMaQVyOVcq+q@eldamar.lan> <[🔎] 62b4bc03-19f8-77d7-a5da-ddf5ac8b699c@beuc.net>

Hi Sylvain,

On Thu, Apr 06, 2023 at 05:54:08PM +0200, Sylvain Beucler wrote:
> Hello Security Team,
> 
> On 01/04/2023 21:31, Salvatore Bonaccorso wrote:
> > First a disclaimer, this probably needs further discussion, reflects
> > my current personal knowledge and view on the question, and further
> > feedback is appreciated by at least one other persion in the Debian
> > security team doing frequent CVE triage, I have in mind Moritz.
> 
> Waiting for other security team members' input, I can clarify a couple
> points and propose a plan for action.

Still welcome.

> First I confirm that this is intended for LTS only; for ELTS we can just
> triage in the ELTS security tracker almost without interference.

Thanks a lot for confirming.

> - For python2.7, AFAIU you would be inclined to associate CVEs to that
> package more often, for the duration of buster-lts, which would help a lot.
> On the LTS side we'd like to associate all the past python3.x CVEs to
> python2.7 (13 CVEs) and triage them accordingly (so we can easily compare
> python2 and python3 status).
> Would that be OK?

>From my side no objection on that. If you do not hear a NACK, go ahead
with it.

> - For gnupg1, we'd like to reference it in
> debian-security-support/security-support-limited (or
> security-support-endedXX).
> Would that be OK?

Inclided to say to add it to security-support-limited. The reference
to the release notes might suffice as explanation, or you can be more
verbose and reference #982258. It lists reasons for still keeping
src:gnupg1 to handle specific usecases.

> - For sqlite, I believe LTS supports it as a dependency of
> yum<python-sqlite<libsqlite0.
> There are also direct use cases of the 'sqlite' CLI: for accessing v2
> databases, and migrate v2 databases to v3 (AFAICS).

Ok understand.

> So I'm more inclined to keep it supported for the duration of buster-lts
> (package was removed in later dists).
> What do you think?

The question is then probably: If kept supported, you would need to
check each of the sqlite affecting CVEs if they apply really to the
old code-base. In such a case, add

	- sqlite <removed>

and triage it further for buster.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Triage status for a few old packages
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Re: Triage status for a few old packages
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: Triage status for a few old packages
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: [Git][security-tracker-team/security-tracker][master] Reserve DLA-3389-1 for lldpd
Next by Date: Re: Triage status for a few old packages
Previous by thread: Re: Triage status for a few old packages
Next by thread: Re: Triage status for a few old packages
Index(es):
- Date
- Thread