June Debian (E)LTS Monthly Report for Scarlett Moore

To: debian-lts@lists.debian.org
Subject: June Debian (E)LTS Monthly Report for Scarlett Moore
From: Scarlett Moore <sgmoore.dev@gmail.com>
Date: Thu, 29 Jun 2023 10:00:21 -0700
Message-id: <[🔎] 3140695.e9J7NaK4W3@debian>
Reply-to: sgmoore@debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors

LTS:

- - golang-yaml.v2
 - buster:
   - CVE-2021-4235
   - CVE-2022-3064
  - Add upstream patch with style fixes for CVE-2022-3064 so
     that we are in line with upstream code if there happens to
     be another security update.
 -  Verified the i386 test is broken prior to to these patches and the 
completely unrelated to the code changes and the upload can continue.

Ready to upload but out of LTS time - will upload in July after the US 
holiday.
https://salsa.debian.org/lts-team/packages/golang-yaml.v2

- - qt4-x11
 - buster:
 -  CVE-2023-34410
 -  CVE-2023-32573
 -  CVE-2021-45930
 -  CVE-2021-3481
Patches and local testing done.
https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/buster

 -  CVE-2023-32763 Attempted to backport upstream patch for qt 5.15.15 but the
code changes from qt4 -> qt5 has changed too dramatically and the fix uses
private overflow functions that do not exist in qt4. I am reaching out to some
qt connections I have for help and to see if it is even possible to backport.

ELTS:
 - stretch:
  -  CVE-2023-34410
  -  CVE-2023-32573
Patches and local testing done.
Also affected by
  -  CVE-2023-32763 - see above

https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/debian%2Fstretch

 - jessie:
  -  CVE-2023-34410
  -  CVE-2023-32573
  -  CVE-2021-45930
  -  CVE-2021-3481
Patches and local testing done.

https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/jessie

I am awaiting feedback for CVE-2023-32763 before uploading. If anyone here has
QT experience and would like to take a look, please don't hesitate to reach
out.

Misc:
 Spent some free time familiarizing myself with django and package tracker
code.

Team monthly meeting

Thanks,
Scarlett
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfDWSDxziiZ6OqarQLnwDZ7m/oIkFAmSduKUACgkQLnwDZ7m/
oImQoBAAgGDsLRTZLUfiYJ2SaGal5oBko1MSWqEeZ33JiQVN5Lny2FmiyFvbvX5a
8hXNbgLHInp7mzI2t4ijVYJffdy+R+tle62xsbAjxpLqtOlF4OX2m2fnYQFrQ4BZ
0VzCGo/njIKQUiUTWqwC6hrHw7xEk2iQwjoBnsiH7UjTvRVyWzLlgLMY14La8R+u
0xl5j+VmRL/PUJADKjEb9nrtvZctcVrgn3pqxtrl7A9mfqpXDeJIacwHRflToMgw
tcN493GNjvI2CfKuVOL55nDFxbtez26o1hIZYhe+rwPCde3HOYj3FHVb/bsUu3ei
zxknr8fdWcMDoZJJ8gKOCbagc3qj4YutlsadAjB6aBESNPF0IwqMgCbWqf+372aB
jCyVNZd/A8K/q+nuvgPlAIhI4JCowgKdhnx8zgJKrwun144SBOFtNwmKJ+sn8M2P
ezP7Q55trFszmYW7Bxcq/NqUqh7rrE6e0LzNUKnZYLqKOEXffK/gYJqWcXoUh+um
2jy2rOqWCxQBz8c2hj/VCfIWfXRKma+42BPpUu6gUQLcUorpCssWoZwthiUC07tP
AWtPsXYpzAGUNjQ8S5C5kZ+OE3FLuK6tYSOd5cPSFzK748W7fAAxybkD41HJvQyo
ChDV+7I0MfFekQiM3oua8SPTt+OrnpehKnFGSon5AVRIjoeSH1A=
=neFh
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: RFC: php-cas (CVE-2022-39369)
Next by Date: Re: RFC: php-cas (CVE-2022-39369)
Previous by thread: Re: c-ares, CVE-2023-31147, CVE-2023-31124
Next by thread: (E)LTS activity for June
Index(es):
- Date
- Thread