[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)LTS report for June 2023

I've worked during June 2023 on the below listed packages, for Freexian

Many thanks to Freexian and our sponsors [2] for providing this opportunity!


 Triaging with the result that an update probably
 does not make sense as fixed for CVEs are not available for the version
 in buster, and a newer version has the danger that it does not support all
 cards that were originally. The libraries might also break ABI.
 See also Andreas reply in the thread starting at


 Ongoing work to prepare updated packages for CVE-2017-1000071,
 an authentication bypass vulnerability (please see the CVE for details.)
 Unfortunatly the change required is API breaking, so reverse dependencies
 needs to be fixed as well. In buster, those are:
 - fusiondirectory (patch for the CVE-2017-1000071 ready)
 - ocsinventory-server (TODO)

 As users might be using software using php-cas not in Debian, to give them
 an opportunity to fix the pacakges on their side, preliminary packages are
 available. See this thread and replies for more information and where those
 are: https://lists.debian.org/debian-lts/2023/06/msg00058.html

 fusiondirectory needs also some fixes of its own; I'm coordinating the upload
 with Abhijith PA, as they have been working on the package for those.

 The plan is to upload php-cas, fusiondirectory and ocsinventory-server at the
 same time, once ocsinventory-server is ready.

 For stretch, php-cas has only unsupported reverse dependencies in Debian,
 still this needs coordination with users the package to get their
 software updated. After this coordinatio is done, I'll plan to upload php-cas
 for stretch.


 ELA-888-1 (stretch/jessie), CVE-2023-33460, a memory leak that can lead to

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: PGP signature

Reply to: