Hello all, In recent days I made an attempt at backporting fixes made upstream in libqb to address CVE-2019-12779. I requested a review from upstream in the related GitHub issue [0].
The essence of the discussion is that some important parts of the upstream changes do not apply to the libqb in Jessie, because libqb in Jessie is considerably older than the releases for which upstream has provided a fix. Chris and Brian have both made assessments of the degree of vulnerability in libqb [1]. The comments from upstream appear to be in line with those observed by Chris and Brian. That said, Ferenc Wágner, who is the current maintainer of libqb in Debian and also has contributed upstream joined the conversation. He asked what packages depend on libqb. I must confess that it never even occurred to me to look. The answer is that no packages depend on libqb in Jessie, making it a leaf package. Based on that and the vast differences between libqb 0.11.1, in Jessie, and 1.0.5, in which the fixes have been made available, Ferenc's assessment, and mine, is that additional effort on this package would be a waste. From Ferenc's point of view, anybody on such an old release of Debian would have used 0.17.2 or 1.0.1 from jessie-backports. Neither of those will be updated by the security team. Updating to a current upstream release would be low risk from the standpoint of it being a leaf package, but that does not seem right either. With that in mind, does this seem like a package for which we should declare the end of support? Regards, -Roberto [0] https://github.com/ClusterLabs/libqb/issues/338 [1] https://lists.debian.org/debian-lts/2019/06/msg00015.html -- Roberto C. Sánchez