[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)?LTS report for july

I've worked during July 2023 on the below listed packages, for Freexian

Many thanks to Freexian and our sponsors [2] for providing this opportunity!


* I have continued my work on docker.io and investigate FTBFS #1040141
linked to fallout of CVE-2022-39253. This was fixed.
* Santiago is trying to test my release and
I am currently analysing the result of testing case made by Santiago.
We are both trying to create and documenting a robust test case for
swarm mode. For now we have validated that our patches does not break external
connectivity to swarm mode. We are going to test if overlay network is correctly encrypted
and if foreign packet on overlay internal node are correctly dropped.

* I have released  DLA-3480-1

*I have released DLA-3481-1

* I have triaged this package and found that the LTS version is not affected by one of the CVE
* Backport and fix CVE-2021-3838. Code has massively changed compared to upstream fix.
I have also created test case for checking correctness.

I have continued to work on SALT and investigate possibility of backport.
Backport was not possible because the protocol used by SALT changes and break
forward/backward compatibility even in case of backport, and dependencies problem (need 
a backported python).

* backport patches from buster and release ELA-897-1

* I investigate is minimal changes was possible and backporting patches was feasible. I concluded that
a backport of buster was preferable (last stable version from upstream). I have released ELA-903-1

* I have released ELA-905-1 fixing a regression from stretch/buster. This regression was introduced in
DLA-2813-1 for stretch and ELA-513-1 for jessie.

* I have pushed some test for checking if imagemagick is affected by zone security vulnerability found in lastest upstream version.
I have openned CVE releated to these vulnerabilities.

* I have investigated if CVE-2023-27530 and CVE-2023-27539 are fixed as said by upstream.
Found they are not fixed and need fixing.

*I have investigated how to fix. Security problem are due to a breach of contract between docker, kernel and runc.
Backport to a recent version seems the only reasonable option but will need golang 1.16 (ok for stretch). This need to wait
to release a fixed docker.io version first. may be it will need a backport of some docker functionality into docker.

I have investigated recent CVE and found upstream commit for fixing it.

I have also participated to (E)LTS meeting and improving internal documentation of the team.

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: