I've worked during February 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (WIP) ========= nss has currently three (buster) and four (jessie,stretch) open vulnerabilties. Some of the patches were easy to backport, but there were challenges with CVE-2023-5388 and CVE-2023-6135. For the first one, at the beginning of my work, there was no patch publicly available, albeith some commercial distribution had claimed that they have fixed it already, however I couldn't find the patch. MAYBE that's because they've recently restricted accesss to their source code to their customers only. At least I couldn't find it. However, after asking the LTS team, someone from the team pointed me to patches from AWS and rockylinux and only a few days later upstream commited a patch to their repository. (which was a bit different than the patch found earlier.) The second one, CVE-2023-6135 is a side-channel attack nick named "Minerva". The security tracker lists two relevant patches and they are partially backportable, expect on the parts where the buster code seems not to have the NIST curves, at least not in the files the upstream patch is patching. I've adopted the upstream patches, but I was too unsure about what bits of those patches are acutally required for buster, so I've decided not to apply the patch and keep the CVE unhandled and reached out to upstream to obtain further information about the vulnerablity. Upstream suggested to defer this CVE for now, as they plan to prepare patches for one of their LTS versions and it will make more sense to use those for backporting them to (E)LTS. However, I'm intending not to wait for that patch before releasing February's work, so a DLA / ELA will be issued once I've completed testing. (Upstream has a test suite available, however as it seems to need a compiled nspr source tree I'm not sure if I can automate the tests.) As of writing this report, the stretch test suite has been run successfully, jessie and buster are still on the list. LTS: openvswitch (DLA 3734-1, CVE-2023-5366) ======================================= Openvswitch had 4 open CVEs, after triaing two of them could be marked as not affecting buster, as the vulnerable code had been introduced later (both CVE-2023-3966 and CVE-2024-22563 were introduced with 2.11.0, where buster is at 2.10.7) The patch for -5366 was quite easily backported, but unfortunatly made the (extensive) test suite unhappy: Some tests of the same test suite failed, also the ones added by the patch for -5366… The reason: The patch depended on later commits -- which I eventually found using git bisect. The previously failing tests started to pass with the commit, but the commit introduced another test which was now failing, so I had to redo the same procedure as before to find the commit which was needed to pass the test. Now the test suite was happy, but there was one test that flaky, so this needed to be investigated further if my changes introduced a regression there. Fortuntatly, after running the failing test over and over again, with and without my patches, I could determine that the test wasn't more flakey as it had been before. Yeah, that DLA was a bit more bumpy than anticipated. Cheers, -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature