Hi, This month activity consisted to: - release UWSGI fixing CVE-2023-27522 initially reported against apache2 but than may affects old version of uwsgi. I have reported this finding to the CVE database and CVE was updated. - the main part of the work was on imagemagick package: * CVE-2021-3610 was incorrectly marked as not affecting imagemagick. I triage it correctly and pin point when the faulty code was introduced. * CVE-2022-1115 was investigated and does not affects LTS * Released DLA-3007-1 imagemagick * During this backport work I investigate upstream git commit, I noticed five security problems (triggered by corrupted file) not reported against CERT. I have reported it and I am waiting CVE. These security problems include stack overflow and heap overflow. * Tried to backport CVE-2023-1289 to LTS and ELTS. Lack of time means no further work, will continue next month. - Investigate if node-got immune was affected by a CVE-2022-33987. I created a test case and found that this package is not affected under buster - fix node-nth-check DLA-3428-1and created a test case. I also participate to LTS meeting, and help other members. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.