(E)LTS report for August 2023

To: debian-lts@lists.debian.org
Subject: (E)LTS report for August 2023
From: Tobias Frost <tobi@debian.org>
Date: Sun, 3 Sep 2023 10:24:48 +0200
Message-id: <[🔎] ZPRC0OA6r83DxIJ9@isildor2.loewenhoehle.ip>

I've worked during July 2023 on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and sponsors [2] for providing this opportunity!

LTS:
====

zabbix -  DLA-3538-1 (see advisory for details.)
  
  A noteworthy change is for CVE-2013-7484, which changes the way
  the password is saved in the database to a more secure way.
  This requirea an update in the database scheme, and a "Debian"
  specific db version identifator, unused by upstream,
  to be employed, so that later database updates
  won't be affected. Passwords will be re-hashed when users login.

  The upgrade path to bullseye and bookworm is not affected, as those
  packgages employ already the database change and the db update is
  idempotent.

  Beside that, the package provided significant effort in backporting
  the upstream patches, as the code has been refactored quite a bit
  since the version 4.0.4 in Debian buster and upstream is not always
  clear on which commit fixes what.

  In hindsight, as there are later 4.0.x upstream releases, it probably
  would have made sense to check if updating to the latest 4.0.x is
  possible/ feasilbe for a LTS release and then tackle the remaining
  problems not addressed.
  

ELTS:
====

symfony - ELA-912-1 - finshing work on symfony.

  tackling CVE-2018-14774 CVE-2021-21424 CVE-2022-24894
  CVE-2022-24895. Please see the ELA for details.


opendkim - triaging

  creating the LTS git repository and anylzing CVE-2022-48521,
  but as there is no upstream patch and developing one will
  require significant time, I've shelfed the package again to
  continue the work work on zabbix/ELTS first.

zabbix - Work in Progress

  stretch package is almost ready; some more testing is required.
  
  A noteworthy change will be for CVE-2013-7484, which changes the way
  the password is saved in the database to a more secure way.  This
  requirea an update in the database scheme, and a "Debian" specific db
  version identifator, unused by upstream, to be employed, so that later
  database updates won't be affected. Passwords will be re-hashed when
  users login.

  Like with the LTS package, the challenge on zabbix was the codebase changed
  a lot, which requires that upstream patches needs to be backported
  and also checks be done if other code paths are affected by the same
  problems.

  I'm planning to tackle zabbix for Jessie in September.

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Cheers,
-- 
tobi

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: firefox on buster
Next by Date: Debian LTS and ELTS -- August 2023
Previous by thread: OldShiitt
Next by thread: (E)LTS report for August 2023
Index(es):
- Date
- Thread