Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
On Tue, May 21, 2019 at 10:01:55AM +0200, Aljoscha Lautenbach wrote: > Hi, > > On Mon, 20 May 2019 at 23:11, Moritz Mühlenhoff wrote: > > What's considered needed is that someone should actually look through > > https://security-tracker.debian.org/tracker/source-package/libsass and > > triage/fix. > > > > The only visible action done in five weeks was to lower the severity, so > > I'm reverting to RC status until there's some actual work happening. > > I'm sorry, I have been very busy since I got back from vacation. I certainly > see your point, I will try to show some visible progress by next week. Great! There's also a MR on salsa, so make sure to prevent duplicated work: https://salsa.debian.org/sass-team/libsass/merge_requests/1 Cheers, Moritz
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
Hi, On Mon, 20 May 2019 at 23:11, Moritz Mühlenhoff wrote: > What's considered needed is that someone should actually look through > https://security-tracker.debian.org/tracker/source-package/libsass and > triage/fix. > > The only visible action done in five weeks was to lower the severity, so > I'm reverting to RC status until there's some actual work happening. I'm sorry, I have been very busy since I got back from vacation. I certainly see your point, I will try to show some visible progress by next week. Kind regards, Aljoscha
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
control: severity -1 important Quoting Aljoscha Lautenbach (2019-04-09 23:03:06) > during the BSP in Gothenburg last weekend I discussed with Jonas how I > could help to put libsass back on track regarding its security status. > We agreed that the best move is to start with triaging the existing > Debian bugs and by identifying the CVE status in upstream's issue > tracker. [0] @Aljoscha: Thanks for your initial work and - more so - for committing to help generally looking after these security issues in libsaass. Due to the expansion of the libsass team with Aljoscha, I am lowering severity of this bugreport. If the security team or others disagree, then please elaborate what you consider is needed. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
Quoting Xavier (2019-04-16 15:52:53) > Hi all, > > Some fixes proposed in > https://salsa.debian.org/sass-team/libsass/merge_requests/1 : > CVE-2018-19827, CVE-2019-6283, CVE-2019-6284 and CVE-2019-6286 Thanks for your help, Xavier. This bugreport is however not to track specific bugs in libsass but to track the meta-issue of the general "health" of the maintenance. Therefore, it is more helpful if you post concrete bugfixes not here but at bugreports for the concrete bugs (i.e. locate existing bugreports or file new bugreports for CVEs without a bugreport in Debian yet). If you are interested in stepping up to help generally maintain libsass, then that wold be great - and we can talk about that in this bugreport. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
Hi, during the BSP in Gothenburg last weekend I discussed with Jonas how I could help to put libsass back on track regarding its security status. We agreed that the best move is to start with triaging the existing Debian bugs and by identifying the CVE status in upstream's issue tracker. [0] Unfortunately upstream does not actively track CVE numbers. After Anthony Fok asked them about it in mid 2018 [1], they replied that CVE numbers are only tracked if bug reporters add the CVE numbers themselves, which several bug reporters have started to do since then. As a result, CVE tracking on upstream's issue tracker seems to have improved since mid 2018, but there is no guarantee that this will persist, so manual vigilance is still required. ;) Also, for older CVEs this info does not seem to be available in upstream's issue tracker, and occasionally bug status information can fall through the cracks during merges, see e.g., #2814 (CVE-2019-6283), #2815 (CVE-2019-6286) and #2816 (CVE-2019-6284): the git log in the master branch only specifies that #2814 was fixed, but pull request #2857 specifies that the same commit also fixed #2815 and #2816. [2] I started by cross-referencing the CVEs (which are explicitly mentioned in upstream's issue tracker) with upstream fixes: |++-| | CVE| Upstream bug # | Fixed in upsteam commit | |++-| | CVE-2019-6284 | #2816 | 8e681e2 | | CVE-2019-6286 | #2815 | 8e681e2 | | CVE-2019-6283 | #2814 | 8e681e2 | | CVE-2018-19827 | #2782 | b21fb9f | | CVE-2018-19797 | #2779 | e94b5f9 | | CVE-2018-11499 | #2643 | 930857c | As mentioned, this only covers recent CVEs, and there is still a lot of manual triaging needed. Several of the older CVEs seem to have been fixed "silently" (without explicitly referring to the CVEs), but that remains to be confirmed. I will try to cross-reference all known CVEs with upstream issues on github, so we can track if upstream fixed them already and when. This is obviously only the first step, but with that information we can try to identify which CVEs are still relevant for Debian, and which fixes need to be backported. Over time, we should be able to get this package back in shape. :) Kind regards, Aljoscha [0] https://github.com/sass/libsass/issues?q=is%3Aissue+cve+is%3Aclosed [1] https://github.com/sass/libsass/issues/2682 [2] https://github.com/sass/libsass/pull/2857
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
On Mon, Mar 11, 2019 at 12:29:10PM +0100, Jonas Smedegaard wrote: > control: reopen -1 > > Quoting Jonas Smedegaard (2019-03-11 12:22:03) > > Quoting Moritz Muehlenhoff (2019-02-10 14:47:49) > > > Source: libsass > > > Severity: serious > > > > > > None of the security bugs filed in the BTS has seen any maintainer > > > followup > > > (dating back to 2017 in some cases), and that's just the tip of the > > > iceberg, > > > the security tracker lists many more. > > > > > > Unless someone steps forward and commits to properly maintain it during > > > the > > > lifetime of a stable release, let's not include it in buster. > > > > I have now looked closer at this issue, and disagree that this package > > has a bug of general neglect. Closing this bugreport accordingly. > > Whoops - I have no idea how I could manage to "investigate" but miss the > amount of bugreports that I now see (and are not new). > > Reopening. Sorry for the noise. In addition there's also a fair number of security issues which don't even have a bug filed, see https://security-tracker.debian.org/tracker/source-package/libsass Cheers, Moritz
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
control: reopen -1 Quoting Jonas Smedegaard (2019-03-11 12:22:03) > Quoting Moritz Muehlenhoff (2019-02-10 14:47:49) > > Source: libsass > > Severity: serious > > > > None of the security bugs filed in the BTS has seen any maintainer followup > > (dating back to 2017 in some cases), and that's just the tip of the iceberg, > > the security tracker lists many more. > > > > Unless someone steps forward and commits to properly maintain it during the > > lifetime of a stable release, let's not include it in buster. > > I have now looked closer at this issue, and disagree that this package > has a bug of general neglect. Closing this bugreport accordingly. Whoops - I have no idea how I could manage to "investigate" but miss the amount of bugreports that I now see (and are not new). Reopening. Sorry for the noise. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#921952: [Pkg-sass-devel] Bug#921952: Don't include in buster without proper commitment to update in stable
Control: tags -1 help Quoting Moritz Muehlenhoff (2019-02-10 14:47:49) > None of the security bugs filed in the BTS has seen any maintainer > followup (dating back to 2017 in some cases), and that's just the tip > of the iceberg, the security tracker lists many more. > > Unless someone steps forward and commits to properly maintain it > during the lifetime of a stable release, let's not include it in > buster. Thanks for raising this concern. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature