Hi Neil, all Thank you very much for this information.
Just a small note. LTS differs from ELTS in that LTS aim to support all software in Debian, except the ones clearly documented as not supported. The packages-to-support is just an indication that these are the ones the sponsors wants us to support. Unless this has changed and I had missed that. I'll triage the other packages and see if something more appear. Not sure where to document this, apart from it being in thie email thread. Cheers // Ola On Tue, 17 May 2022 at 10:05, Neil Williams <codeh...@debian.org> wrote: > > On Tue, 17 May 2022 09:25:36 +0200 > Ola Lundqvist <o...@inguza.com> wrote: > > > Hi again team > > > > Sorry for sending a lot of emails today but I need guidance from you. > > > > I have triaged the fis-gtm package. It has a large set of > > vulnerabilities that can be considered rather severe. At least at > > first glance. This votes for the package to be fixed. > > > > However the popcon score is very low. This votes for us to not > > support it. > > > > What do you think? > > When I filed #1009900 for these CVEs, the issues all arose from fuzz > testing and were not deemed to be exploitable. (Requiring local access > and an ability to modify files). Also, the database format itself has > changed in a non-backwards compatible way between the version currently > in Debian (v6) and the latest upstream release (v7). > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009900#19 > > As upstream have not (yet) provided specific commit references for any > of the CVEs, I see no way to patch 6.3-014-3 in bullseye, > 6.3-007-1 in buster or 6.3-000A-1 in stretch as the fixes have been > applied upstream to the incompatible v7 format. > > Security Team haven't triaged fis-gtm for buster yet, I suspect that > will get a <no-dsa> tag as the CVEs do not appear to be remotely > exploitable, but check with Mortiz or Salvatore. > > fis-gtm isn't listed in packages-to-support for debian-lts, so it would > not appear to be a candidate. > > -- > Neil Williams > ============= > https://linux.codehelp.co.uk/ -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------