I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: ==== docker.io: * I have continued my work on docker.io and investigate FTBFS #1040141 linked to fallout of CVE-2022-39253. This was fixed. * Santiago is trying to test my release and I am currently analysing the result of testing case made by Santiago. We are both trying to create and documenting a robust test case for swarm mode. For now we have validated that our patches does not break external connectivity to swarm mode. We are going to test if overlay network is correctly encrypted and if foreign packet on overlay internal node are correctly dropped. ruby-redcloth: * I have released DLA-3480-1 libursctp: *I have released DLA-3481-1 php-dompdf: * I have triaged this package and found that the LTS version is not affected by one of the CVE * Backport and fix CVE-2021-3838. Code has massively changed compared to upstream fix. I have also created test case for checking correctness. ELTS: ============= SALT: I have continued to work on SALT and investigate possibility of backport. Backport was not possible because the protocol used by SALT changes and break forward/backward compatibility even in case of backport, and dependencies problem (need a backported python). python-werkzeug: * backport patches from buster and release ELA-897-1 phpseclib: * I investigate is minimal changes was possible and backporting patches was feasible. I concluded that a backport of buster was preferable (last stable version from upstream). I have released ELA-903-1 ckeditor: * I have released ELA-905-1 fixing a regression from stretch/buster. This regression was introduced in DLA-2813-1 for stretch and ELA-513-1 for jessie. imagemagick: * I have pushed some test for checking if imagemagick is affected by zone security vulnerability found in lastest upstream version. I have openned CVE releated to these vulnerabilities. ruby-rack: * I have investigated if CVE-2023-27530 and CVE-2023-27539 are fixed as said by upstream. Found they are not fixed and need fixing. runc: *I have investigated how to fix. Security problem are due to a breach of contract between docker, kernel and runc. Backport to a recent version seems the only reasonable option but will need golang 1.16 (ok for stretch). This need to wait to release a fixed docker.io version first. may be it will need a backport of some docker functionality into docker. Bouncycastle: I have investigated recent CVE and found upstream commit for fixing it. I have also participated to (E)LTS meeting and improving internal documentation of the team. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers,
Attachment:
signature.asc
Description: This is a digitally signed message part.