I've worked during August 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: === docker.io: * Santiago is trying to test my release. Testing is especially complicated due to lack of integration test case related to CVE-2023-28840, CVE-2023-28840, CVE-2023-28842. We have created a first integration test case that demonstrated that overlay network was not encrypted. We tried also under sid and last upstream version. However after reporting this fact and some extending investigation by upstream, it was (hopefuly) a false positive due to lack of documentation of swarm overlay network. Upstream thanks us for the report and will improve the documentation. Testing still under the way. php-dompdf: * I have released DLA-3495-2 Ubuntu security team noted after extensive testing that DLA-3495-1 was incomplete as one PoC for CVE-2022-2400 (particularly the chroot escape) was still working on the patched version of the package. Further analysis of the upstream patch and DLA-3495-1 version helped to identify that the vulnerability was still present due to DLA 3495-1 not including commit 7adf00f9, which added chroot checks to one of the code path. Special thanks to Camila Camargo de Matos of Ubuntu security team. libreoffice * I have released DLA-3526-1 for CVE-2022-38745 CVE-2023-0950 CVE-2023-2255. Upstream patch lead to compilation error and I have backported some functionality from 6.4 to 6.1 sox * I have released DLA-3527-1 for CVE-2023-32627 by forward porting from ELTS Chef * I have triaged CVE-2023-28864 and concluded it was not a concern for us. ELTS: ==== Bouncycastle: I have released ELA-913-1 fixing CVE-2023-33201 sox: * I have triaged CVE-2023-33201, CVE-2023-34432, CVE-2023-34432 and after testing and debugging concluded that previous fixes included in the debian version of sox fixes theses CVE. I have reported this upstream and to the CNA. * I have fixed CVE-2023-32627 by analysing the vulnerability. Test case including in the vulnerability report was inefficient because the vulnerability was masked by previous fixes included in the debian version (bail out early due to unrelated fuzzing patern). However this CVE was a new one, and need to be fixed. I have created a patch fixing the vulnerability and tested it. I have reported upstream and to CNA. I have released ELA-918-1 runc: * I am going to backport buster version for fixing the remaining CVE. Backport is especially hard due to the fact go is static linked and I need to upgrade package. I order to avoid binNMU explosion, I have created a working proof of concept by vendoring a few depends. Vendoring was done by using multiple upstream tarballs in source package (as done usually for javascript package). dh_golang in ELTS was not vendoring friendly and manual debian/rules were needed. Work is incomplete due to lack of integration test and need to check reverse depends. on going discussion is on the way for maybe providing this package in a backport repository. I have also participated to (E)LTS meeting and improving internal documentation of the team. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers,
Attachment:
signature.asc
Description: This is a digitally signed message part.