systemrescuecd-x86-6.0.0 comes with the following packages from Arch Linux:
AFAICS, they are vulnerable to the issues of GLSA 201903-03 and GLSA 201903-16, respectively.
systemrescuecd-x86-5.3.2 (which is Gentoo based) ships these:
dev-libs/openssl-1.0.2p (GLSA 201903-10)
net-misc/openssh-7.7_p1-r9 (GLSA 201903-16)
net-misc/curl-7.61.1 (GLSA 201903-03)
net-misc/wget-1.19.5 (GLSA 201903-08)
There are more packages, but the above are amongst those that are likely to be used in a rescue environment.
Newest upstream version 6.0.3 still has several vulnerabilities (using the list at https://security.archlinux.org/issues/all):
polkit 0.115+24+g5230646-1 https://security.archlinux.org/AVG-897
gettext 0.19.8.1-3 https://security.archlinux.org/AVG-885
glibc 2.28-5 https://security.archlinux.org/AVG-855
openssh 7.9p1-1 https://security.archlinux.org/AVG-849
libarchive 3.3.3-1 https://security.archlinux.org/AVG-837
libtiff 4.0.10-1 https://security.archlinux.org/AVG-886
glibc 2.28-5 https://security.archlinux.org/AVG-831
openssl 1.1.1.b-1 https://security.archlinux.org/AVG-919
unzip 6.0-13 https://security.archlinux.org/AVG-611
Oh, they changed release hosting, so I didn't get new versions via RSS.
I'm not sure if I should bump them or just mask it as unmaintainable. After all, we won't be patching the prebuilt .iso. (of course, technically we could try building it from scratch ;-))
The bug has been referenced in the following commit(s):
Author: Michał Górny <email@example.com>
AuthorDate: 2019-04-18 11:43:13 +0000
Commit: Michał Górny <firstname.lastname@example.org>
CommitDate: 2019-04-18 11:44:44 +0000
package.mask: Mask app-admin/systemrescuecd-x86 for vulnerabilities
Signed-off-by: Michał Górny <email@example.com>
profiles/package.mask | 6 ++++++
1 file changed, 6 insertions(+)
Can you describe any scenarios where these vulnerabilities affect the use of this mini-distro as a system rescue CD? I looked at the linked ones and feel that deleting this package for "security issues" is stupid. Whatever. Go ahead and apply your headless chicken security practices. I'll just keep/maintain the ebuild myself. It's not like I don't have plenty of games with similar overblown security warnings that I have to now maintain myself (for myself; the requirements for becoming a gentoo maintainer require far too much investment into "the community" of a distro that I hate, for exactly this kind of activity).
(In reply to Thomas J. Moore from comment #4)
This is treated like any other vulnerable package, according to policy:
As it is a binary package, there is not much that we can do, other than waiting for a fixed release from upstream. Unmask the package if you believe that the risk is negligible for your use case. However, we cannot answer that question for all users.
I personally do not see the point in maintaining systemrescuecd as a package in general.
From security POV: Gentoo security will not track vulnerabilities within systemrescuecd on our own. In case there is an upstream advisory for the product in general, we will do our work but we will not audit and keep track of included libs/packages as we don't even have enough man power to keep up with real packages in Gentoo.
I am also not aware of any other distribution doing something like that for their own installation media. From time to time, they will just replace previous version with a new version. It's also normal these days that you can use such a medium for installation OR to boot a live system. Once booted, you can update the running live system using known package managers (which is even possible for systemrescuecd).
=> Closing security bug as "WONTFIX".
@ maintainer(s): Feel free to lift the mask if you see a value in keeping sytemrescuecd as a package or last rite.