Article Image
Article Image

Here’s my (fifth) monthly update about the activities I’ve done in Debian this February.

Debian LTS

This was my fifth month as a Debian LTS paid contributor.
I was assigned 20.00 hours and worked on the following things:

CVE Fixes and Announcements:

  • Issued DLA 2095-1, fixing CVE-2020-7040, for storebackup.
    Details here: in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation.

    For Debian 8 “Jessie”, this problem has been fixed in version 3.2.1-1+deb8u1.
    Furthermore, sent the patch for the security update for Stretch and Buster to the maintainer.

  • Issued DLA 2113-1, fixing CVE-2020-8631 and CVE-2020-8632 for cloud-init.
    Details here:

    For CVE-2020-8631, in cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/ calls the random.choice function.

    For CVE-2020-8632, in cloud-init, rand_user_password in cloudinit/config/ has a small default pwlen value, which makes it easier for attackers to guess passwords.

    For Debian 8 “Jessie”, this problem has been fixed in version 0.7.6~bzr976-2+deb8u1.

  • Issued DLA 2116-1, fixing CVE-2015-9542, for libpam-radius-auth.
    Details here:

    A vulnerability was found in pam_radius: the password length check was done incorrectly in the add_password() function in pam_radius_auth.c, resulting in a stack based buffer overflow.

    This could be used to crash (DoS) an application using the PAM stack for authentication.

    For Debian 8 “Jessie”, this problem has been fixed in version 1.3.16-4.4+deb8u1.

  • Issued DLA 2127-1, fixing CVE-2019-10785, for dojo.
    Details here:

    dojox was vulnerable to Cross-site Scripting. This was due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.

    For Debian 8 “Jessie”, this problem has been fixed in version 1.10.2+dfsg-1+deb8u2.

  • Whilst Dylan issued DLA 2120-1, fixing CVE-2020-8130, for rake, I, with the Ruby team hat on, fixed the same issue for Stretch and Buster via proposed-updates.
    This CVE was fixed via 10.5.0-2+deb9u1 and 12.3.1-3+deb10u1 respectively.

Other LTS Work:

  • Triaged cloud-init, slirp, libpam-radius-auth, dojo, and qemu.

  • Triaged CVE-2020-1711 and CVE-2020-8608 with more precision and discussed the details with Ola.

  • Started working on rrdtool for CVE-2014-6262.

Debian Work

This was a great month! MiniDebCamp -> FOSDEM -> Ruby Sprints. Blog post soon :D
In the month of February, I did a lot of Debian work.

// given limited time in March, this section is yet to be updated.

One exciting blog post coming very soon.

Until next time.
:wq for today.

Blog Logo

Utkarsh Gupta




This is where I scribble.

Back to Overview