Hi I checked the four new CVEs and my conclusion is that the vulnerable code is not present. I'm not 100% sure because the code is so extremely different but I'm pretty sure about it. At least I cannot even grep for "surrounding code" in the area where the fix is made.
Based on that I marked them as not-affected. I think this applies to the rest of the CVEs in the list as well, but I have not checked. Cheers // Ola On Wed, 13 Mar 2024 at 20:34, Sylvain Beucler <b...@beuc.net> wrote: > Hi Ola, > > On 12/03/2024 20:52, Ola Lundqvist wrote: > > I have claimed the package myself now. I think the conclusion will be > > that all are minor issues and the package do not need an update. But we > > will see when I have gone through all the CVEs. > > tinymce is only available up to buster, so we don't have to sync with > stable/oldstable, and can make a decision directly. > > > However if you look more closely, you can see that all > > those CVEs are of "cross site scripting" nature and when you look at > > the rest of the issues in that list there are many more with the > > same type of issue and then marked as no-dsa. > > In this case, XSS is defeating the core feature of the tool, so I would > fix them. > > > If I would have triaged this package as front-desk I would have > > marked the rest the same with the reasoning that there are anyway so > > many of the same type so it does not help to fix a few others. > > The newer CVEs weren't shown in FD's tools since it was already added to > dla-needed.txt, hence why they weren't triaged. > > > So my question is: > > - Should those CVEs that are not no-dsa today be marked as no-dsa > > and in that case the package to be removed from dla-needed? > > or > > - Should the XSS type issues already be marked as no-dsa in fact > > have the no-dsa tag removed and we should fix them as well? > > See also my other mail on interpreting "no-dsa" in the context of LTS. > > Here we've got a bunch of postponed XSS to fix, and a sponsor, so I'd > say go ahead a publish a DLA to fix them all :) > > Cheers! > Sylvain > FD this week > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
