Package: debian-security-support Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, Freexian Debian LTS <deblts-t...@freexian.com>
Hi I'm going to prepare a MR to add intel-mediasdk to be added to security-support-ended.deb11. (I've sent this mail originaly to the LTS team mailing list, quoting for context. Conclusion was to drop support for intel-mediasdk for LTS, especially as a RM bug has been filed too, #1082801) TL;DR: I was triaging intel-mediasdk and I'd propose either ignore the package or updating to the version in bookworm for partial fixing. Please share your thoughts! Updating would fix CVE-2022-27170 CVE-2022-34346 CVE-2022-34841 CVE-2022-35883 and CVE-2022-36289. The remaining are CVE-2023-45221 CVE-2023-47169 CVE-2023-47282 CVE-2023-48368 and CVE-2023-48727 and should probably marked as "ignored" as the security team did for bookwom (For completeness, CVE-2023-22656 is marked "no-dsa" for bookworm, not enough informatio to fix that one either.) intel-mediadsk is dead upstream since May 17, 2023 and for all their CVEs there is no information beside that there is a Intel SAA available. The SAA are basically nothing-saying, except that some of the CVES state that upstream version 22.2.2 fixes them, backed up by the information in the Intel SAA. Bookworm is at 22.5.4. The remaining CVEs have never been fixed upstream and Intel made it clear that they won't. The successor of mediasdk is onevpl and while onevpl has bascially the same CVEs (which have been fixed upstream according to the SAAs) it lacks enough information to be able to hunt down required patches. Alas, I even cannot find the source for the openvpl version claiming that it fixes the bugs at all (the repo the Debian package links to has only a very old version or the upstream versions numbers refer to some other piece of software...) -- tobi
signature.asc
Description: PGP signature