[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)LTS report for September 2023

I've worked during September 2023 on the below listed packages, for
Freexian LTS/ELTS [1]

Many thanks to Freexian and sponsors [2] for providing this opportunity!


zabbix - ELA-945-1, ELA-957-1
  After zabbix has been released in August for buster (DLA-3538-1), I've
  continued to work to cover Stretch, which has been released as
  ELA-945-1 early September.

  Afterwards, I worked on to fix Jessie as well -- ELA-957-1.

  A noteworthy change is for CVE-2013-7484, which changes the way the
  password is saved in the database to a more secure way.  This requirea
  an update in the database scheme, and a "Debian" specific db version
  identifier, unused by upstream, to be employed, so that later database
  updates won't be affected. Passwords will be re-hashed when users login.

  The upgrade paths all the way from Jessie to Bookworm is not impaired;
  the package in those suites employ already the database change and the
  db update is idempotent. (this assumes (E)LTS updates are used.)

  The Jessie codebase was naturally even older as the Stretch codebase,
  and provided extra challenged as all patches had to be manually
  backported to the version in Jessie and due to the refactoring efforts
  upstream has put into the codebase, many fixed required to localize
  additional location which needed fixing as well and as those backports
  were not that straight forward, a lots of testing had been conducted
  to reduce the risk of breakages as much as possible. 


firmware-nonfree - DLA-3596-1 
  Following Intels security advisory INTEL-SA-00766 several firmware
  blobs for some of their Wifi/Bluetooth products have been updated to
  fix several CVEs.

  Firmwareblobs provide their own challenges, as obviously there is
  no source to inspect to verify things. and addtional the vendor is not
  very clear in their communication which would help identifying the
  correct firmware blob, so the only information available was that the
  problem is "Fixed upstream in linux-firmware/20230804".

  Looking at the repository I could identify a few commits that
  were touching Intel firmware files to extract the updates files,
  and to cherry-pick them into an updated buster firmware-nonfree
  package. Feedback from the package maintainers was that this normal
  and the only thing we can do, unfortunatly.

  Firmwareblobs provide their own challenge, (yes, I'm repeating
  myself:) It seems that the Intel blob <-> kernel interface is using
  a versioned ABI, and the kernels only can cater a certain range. That
  means, that *some* of the updated firmware files will not be loadable
  by buster's kernel, a thing that I only figured out _after_ I
  integrated the files already into the packaging and checked with the
  linux kernel sources. 
  I left them in in the hope that there are folks that will still
  benefit from them, however, I encourage people to verify their
  setup so that they know if they are still vulnerable. 

  Unfortunatly, this is all we can do when non-free binary blobs
  are involved.

  Adminstartive work (creation of the repository) and some analyis.
  After that the CVEs had been re-triaged and their severity reduced
  to "unimportant", so I was informed that we won't issue an update
  of nasm at this moment and should not continue on the package.

  Adminstartive work (creation of the repository) and some analyis.
  There was information that another contributor had done analysis
  already a few months ago, but the result was nowhere to find, so I
  reached out to them and in the course determined that it is better
  that said contributor will finish the work.

  Started working on this package, the work will continue in October.
  So far, analysised the package to determine the best course of
  action. As the package has 60 CVE'S open, and only a few have spelled
  out the explicit patches that are required to fix them I first investigated
  if it is possible to pull in a new upstream version, for example the
  bullseye version (2.3.0), but unfortuntaly vinagre started to show
  only black screens with that version -- which could be of course a
  vinagre problem, as remmina for example continued to work -- but shows
  that this path is too risky.  
  A second test with 2.0.0 -- which is only the next release after the
  git commit that had been packaged for buster -- in the hope this
  will pull the buster version to an official released version and
  therefore already fix a lot of vulnerabilties, but unfortunatly
  brought the same result, so it is probably worth the time to take
  another look into vinagre's direction…

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: PGP signature

Reply to: