Package: debian-security-support Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>, Freexian Debian LTS <deblts-t...@freexian.com>
Hi
I'm going to prepare a MR to add intel-mediasdk to be added to
security-support-ended.deb11.
(I've sent this mail originaly to the LTS team mailing list, quoting for
context. Conclusion was to drop support for intel-mediasdk for LTS,
especially as a RM bug has been filed too, #1082801)
TL;DR: I was triaging intel-mediasdk and I'd propose either ignore the
package
or updating to the version in bookworm for partial fixing.
Please share your thoughts!
Updating would fix CVE-2022-27170 CVE-2022-34346 CVE-2022-34841
CVE-2022-35883 and CVE-2022-36289.
The remaining are CVE-2023-45221 CVE-2023-47169
CVE-2023-47282 CVE-2023-48368 and CVE-2023-48727 and should probably
marked as "ignored" as the security team did for bookwom
(For completeness, CVE-2023-22656 is marked "no-dsa" for bookworm,
not enough informatio to fix that one either.)
intel-mediadsk is dead upstream since May 17, 2023 and for all their
CVEs there is no information beside that there is a Intel SAA available.
The SAA are basically nothing-saying, except that some of the CVES state
that upstream version 22.2.2 fixes them, backed up by the information in
the Intel SAA. Bookworm is at 22.5.4.
The remaining CVEs have never been fixed upstream and Intel made it
clear that they won't. The successor of mediasdk is onevpl and while
onevpl has bascially the same CVEs (which have been fixed upstream
according to the SAAs) it lacks enough information to be able to hunt
down required patches. Alas, I even cannot find the source for the
openvpl version claiming that it fixes the bugs at all (the repo the
Debian package links to has only a very old version or the upstream
versions numbers refer to some other piece of software...)
--
tobi
signature.asc
Description: PGP signature
