Question about nss patches
Hi Raphael, I've been working on updates to nss and found something peculiar in nss in wheezy from your December 23, 2016 change: * Repackage the new upstream release as debian/patches/nss-3.26.2.patch on top of nss-3.26 to avoid having a version higher than in jessie. In working on updates to nss in jessie and wheezy I am wondering if it makes sense apply that same patch to the nss in jessie. Based on the date of the change, it seems like the reason the change was made in wheezy but not in jessie is that jessie was handled by the security team at that time. That means that the way things currently are, the "real" nss versions are: wheezy nss: 3.26.2 jessie nss: 3.26 stretch nss: 3.26.2 My inclination is to add the 3.26.2 patch to the nss in jessie. However, I wanted to ask before making that change in the event that there is a reason the change should not be made. Do you have any insight you can add here? Regards, -Roberto -- Roberto C. Sánchez
Re: Request for help/comments: sqlite3
Hi Jonas, On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote: > Hi Ola, > > thanks for your response! > > Ola Lundqvist: > > I have now looked into this problem to see if I can out something. > > > > What I have done is to backtrack whether the code is ever executed by > > sqlite and I cannot find that it can be. > > > > rtreenode function is registered using sqlite3_create_function > > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init > > function to be called from anywhere. > > > > Based on this I think we can rather safely say that the function is not > > used in Debian and hence the package is not affected. > > Ok, great. So given that others didn't comment (yet) and we both agree > on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now. > > Let's wait for Security Team's opinion. My recommendation for them would > be to do the same, given that backporting the fix for CVE-2019-8457 to > the sqlite3 version in Stretch will be as complex as it is for Jessie. FWIW, it was marked no-dsa, ideally fixing this in a point release and exposing it more to testing before the point release update itself (A backport might be feasible, Ubuntu has released USN including fixes to various older versions as well). Regards, Salvatore
Re: pound / CVE-2016-10711
Carsten, On 13/07/19 5:38 pm, Carsten Leonhardt wrote: > Hi, > > if you're interested in addressing this CVE, you can find a fixed > version for jessie at https://salsa.debian.org/debian/pound/tree/jessie > > An amd64 binary package can be found here: > > https://salsa.debian.org/debian/pound/-/jobs/221014/artifacts/browse/debian/output/ Added to the list. Somebody from LTS team will fix it. Thanks.
