Rare project developers

[mc36 <>]

On 7/22/22 10:00, Alexander Gall wrote:
> Hi csaba
>
> This is certainly relevant, but we have to distinguish a few things
> since we have multiple package collections in play here. The Debian
> system that's installed with ONIE (currently Debian 11.0) can (and
> should) be maintained like a regular system after installation,
> including security updates. The kernel is special, though.
>
> We can move to the newest Debian release for the installer whenever we
> create a new release, as long as the kernel is compatible with the
> SDE.
so these debian kernels are just a point release updates to the original ones,
that is, they are, except if we go with backported ones, who are the latest
greatest after 1-2 months in sid...



> On Fri, 22 Jul 2022 08:35:08 +0200, mc36 <> said:
>
> > a lot changed since the release got packages frozen about 2 years ago...
>
> Here you refer to the Nix-based packages, I assume.
yesss, i did...

> > the jvm we're shipping also had several cves, one accepts empty ec signatures 
> > as valid
> > (CVE-2022-21449), renderinging such signatures are hackable...
>
> In contrast, this is actually part of the Nix package
> collection. However, that jvm is used exclusively to run freerouter
> and nothing else. How would you assess the impact of this particular
> vulnerability for that specific purpose? It doesn't look critical to
> me according to the description:
> > "This vulnerability applies to Java deployments, typically in clients
> running sandboxed Java Web Start applications or sandboxed Java
> applets, that load and run untrusted code (e.g., code that comes from
> the internet) and rely on the Java sandbox for security"

so it was a missing emptyness check in the very core of ec signature 
verification,
affecting everything that uses that... most notably the tls handshake is the 
most
prominent example, but everything that does an ec verify operation is 
affected...


> > in the meanwhile, xavier's secops team is examining the images we
> > produced...
>
> I would be interested in what their methodology is and whether they
> understand the implications of our packaging approach.
meee tooo :)

> > all this point in one direction, it's time to plan for a regular bump of the 
> > packages we ship....
>
> To re-state what I said above: the packages that are "fixed" are those
> used exclusively to (build and) run freerouter, bf_switchd and
> bf_forwarder.  We have to keep that in mind when we assess the impact
> of vulnerabilites.
>
> The system itself can be kept up to date with security fixes
> independently of that (again, modulo the kernel).
here you're referring to what? just asking because the kernel is fixed 
because of the sde modules,
and the userland around freerouter is also fixed because of the nix version 
picked from 2 years ago...
the only relevant package an user could upgrade is sudo from debian, or 
so.... isn't it?

thanks,
cs