I've worked during September 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS: ==== zabbix - ELA-945-1, ELA-957-1 After zabbix has been released in August for buster (DLA-3538-1), I've continued to work to cover Stretch, which has been released as ELA-945-1 early September. Afterwards, I worked on to fix Jessie as well -- ELA-957-1. A noteworthy change is for CVE-2013-7484, which changes the way the password is saved in the database to a more secure way. This requirea an update in the database scheme, and a "Debian" specific db version identifier, unused by upstream, to be employed, so that later database updates won't be affected. Passwords will be re-hashed when users login. The upgrade paths all the way from Jessie to Bookworm is not impaired; the package in those suites employ already the database change and the db update is idempotent. (this assumes (E)LTS updates are used.) The Jessie codebase was naturally even older as the Stretch codebase, and provided extra challenged as all patches had to be manually backported to the version in Jessie and due to the refactoring efforts upstream has put into the codebase, many fixed required to localize additional location which needed fixing as well and as those backports were not that straight forward, a lots of testing had been conducted to reduce the risk of breakages as much as possible. LTS: ==== firmware-nonfree - DLA-3596-1 Following Intels security advisory INTEL-SA-00766 several firmware blobs for some of their Wifi/Bluetooth products have been updated to fix several CVEs. Firmwareblobs provide their own challenges, as obviously there is no source to inspect to verify things. and addtional the vendor is not very clear in their communication which would help identifying the correct firmware blob, so the only information available was that the problem is "Fixed upstream in linux-firmware/20230804". Looking at the repository I could identify a few commits that were touching Intel firmware files to extract the updates files, and to cherry-pick them into an updated buster firmware-nonfree package. Feedback from the package maintainers was that this normal and the only thing we can do, unfortunatly. Firmwareblobs provide their own challenge, (yes, I'm repeating myself:) It seems that the Intel blob <-> kernel interface is using a versioned ABI, and the kernels only can cater a certain range. That means, that *some* of the updated firmware files will not be loadable by buster's kernel, a thing that I only figured out _after_ I integrated the files already into the packaging and checked with the linux kernel sources. I left them in in the hope that there are folks that will still benefit from them, however, I encourage people to verify their setup so that they know if they are still vulnerable. Unfortunatly, this is all we can do when non-free binary blobs are involved. nasm: Adminstartive work (creation of the repository) and some analyis. After that the CVEs had been re-triaged and their severity reduced to "unimportant", so I was informed that we won't issue an update of nasm at this moment and should not continue on the package. suricate: Adminstartive work (creation of the repository) and some analyis. There was information that another contributor had done analysis already a few months ago, but the result was nowhere to find, so I reached out to them and in the course determined that it is better that said contributor will finish the work. freerdp2: Started working on this package, the work will continue in October. So far, analysised the package to determine the best course of action. As the package has 60 CVE'S open, and only a few have spelled out the explicit patches that are required to fix them I first investigated if it is possible to pull in a new upstream version, for example the bullseye version (2.3.0), but unfortuntaly vinagre started to show only black screens with that version -- which could be of course a vinagre problem, as remmina for example continued to work -- but shows that this path is too risky. A second test with 2.0.0 -- which is only the next release after the git commit that had been packaged for buster -- in the hope this will pull the buster version to an official released version and therefore already fix a lot of vulnerabilties, but unfortunatly brought the same result, so it is probably worth the time to take another look into vinagre's direction… [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature