Package: debian-security-support
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, Freexian Debian 
LTS <deblts-t...@freexian.com>

Hi

I'm going to prepare a MR to add intel-mediasdk to be added to
security-support-ended.deb11.

(I've sent this mail originaly to the LTS team mailing list, quoting for
context. Conclusion was to drop support for intel-mediasdk for LTS,
especially as a RM bug has been filed too, #1082801)


    TL;DR: I was triaging intel-mediasdk and I'd propose either ignore the 
package
    or updating to the version in bookworm for partial fixing.
    
    Please share your thoughts!
    
    Updating would fix CVE-2022-27170 CVE-2022-34346 CVE-2022-34841
    CVE-2022-35883 and CVE-2022-36289.
    
    The remaining are CVE-2023-45221 CVE-2023-47169
    CVE-2023-47282 CVE-2023-48368 and CVE-2023-48727 and should probably
    marked as "ignored" as the security team did for bookwom
    (For completeness, CVE-2023-22656 is marked "no-dsa" for bookworm,
    not enough informatio to fix that one either.)
    
    intel-mediadsk is dead upstream since May 17, 2023 and for all their
    CVEs there is no information beside that there is a Intel SAA available.
    The SAA are basically nothing-saying, except that some of the CVES state
    that upstream version 22.2.2 fixes them, backed up by the information in
    the Intel SAA.  Bookworm is at 22.5.4.
    
    The remaining CVEs have never been fixed upstream and Intel made it
    clear that they won't. The successor of mediasdk is onevpl and while
    onevpl has bascially the same CVEs (which have been fixed upstream
    according to the SAAs) it lacks enough information to be able to hunt
    down required patches. Alas, I even cannot find the source for the
    openvpl version claiming that it fixes the bugs at all (the repo the
    Debian package links to has only a very old version or the upstream
    versions numbers refer to some other piece of software...)

--
tobi

Attachment: signature.asc
Description: PGP signature

Reply via email to