Bug#928306: unblock: liblivemedia/2018.11.26-1.1
Control: tags -1 confirmed moreinfo
Hi,
On Wed, May 01, 2019 at 06:45:04PM +0200, Hugo Lefeuvre wrote:
> Please unblock package liblivemedia
>
> Dear Release team,
>
> liblivemedia 2018.11.26-1 from Buster is affected by CVE-2019-9215[1] and
> CVE-2019-7314[2], two security issues in the server part of the library.
>
> The impact is at least DoS, which is trivial to manage using a publicly
> available script. In fact theses issues might allow any script kiddie to
> make any live555 server fully unusable.
>
> These issues have been fixed in oldstable and stable. Not fixing them in
> Buster would be a security regression.
>
> Sebastian Ramacher (Debian maintainer) did not want to take time for this
> NMU, but did not oppose either[3]. He meant that these CVEs are only
> affecting the server part of the library, which is not used by reverse
> dependencies.
>
> debdiff with targeted fixes in attachment.
According to the security tracker, liblivemedia in buster/sid is also affected
by CVE-2019-7732 and CVE-2019-7733. Maybe you should consider fixing these as
well (if there is a fix available that's easy to apply to the version in sid).
Either way, the diff you attached to this bug look fine, so you can go ahead
with the upload to unstable and remove the moreinfo tag from this bug once the
package is in unstable. If you want to add targeted fixes for the two other
CVEs, you don't need to ask pre-approval for them, you can include them in the
upload to unstable and send an updated debdiff.
Thanks,
Ivo
Reply to: