I've worked during September 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === prometheus-alertmanager --------------------------------------- I have released DLA 3609-1 following fixes from previous month. batik ------- I have fixed multiple Server-Side Request Forgery (SSRF) vulnerabilities. CVE-2020-11987, CVE-2022-38398, CVE-2022-38648, CVE-2022-40146, CVE-2022-44729, CVE-2022-44730 by backporting bulleyes fixes and other distribution fixes. CVE-2022-44730 first FTBFS. Investigation shows that requiring maven source 1.7 fix it, but this fix does not work on buster. Thus rewrite the patch by avoiding carret <> operator in Java 1.6. I released Release DLA 3619-1 ring ----- I tried to the patch from roberto about CVE-2021-32686. Patch still mismerge. Moreover vulnerable code seems present due to manual patching at build time under daemon/contrib/src/pjproject/gnutls.patch. This patch manually fixes some CVE but import some experimental API not ported upstream. A risk anlaysis was carried on my side, and a consensus should be achieved on this CVE imagemagick -------------------- I have triaged a few CVE from upstream git ceph (4h) ------------- Fix CVE-2023-43040 Ceph: Improperly verified POST keys. Small change on backport, unfortunatly the test suite block build. Rebuild using directly buster work. The build is slow (more then 8h), so I begin a bisect, that give unfortunatly mixed results. It seems to be a transient bug,because build now succeed (even if slow). Thus Release DLA-3629, fixing CVE-2019-10222, CVE-2020-1700, CVE-2020-1760, CVE-2020-10753, CVE-2020-12059, CVE-2020-25678, CVE-2020-27781, CVE-2021-3524, CVE-2021-3531, CVE-2021-3979, CVE-2021-20288, CVE-2023-43040. ruby-rmagick ------------------- Investigate patch and release a DLA for buster for CVE-2023-5349 a memory leak that crash due to DOS ruby application. Release DLA 3625-1 ELTS: ==== python3.5 --------------- I have fixed a regression in CVE-2022-48560 patch lead to Werror=declaration-after-statement. Fix it I have fixed a regression in CVE-2021-3177: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement] I have backported GH-4455 needed for fixing CVE-2022-4856[4-5]. I have fixed Fix CVE-2022-48564: DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. This need a partial rewrite due to unsupported f'string I have fixed CVE-2022-48565: An XML External Entity (XXE) issue was discovered in Python. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. I am blocked by CVE-2023-40217: this patch need a rewrite. * No support from upstream * Code has changed and some method need to be emulated. * need to move code and add debug patch in order to avoid a FTBFS * need to add more condition to some path * need also to fix asyncio path that choke. Async render debug harder. I am waiting here to a have a full functionnal autopkgtest suite, that choke mainly on old certificate, after applying fix from python3.4. I have applied the following patch: * fix testsuite with newer expat that crash a test case using XML External Entity * avoid testing with eatmydata of fdatasync * refresh dh key and investigate crypto test failure => these ones are fixed * backport bpo-38275: skip test that fail due to ssl policy. * Manually extract supported ssl version (introduced in python3.7 not backportable), this need a to parse openssl private structure For ssl work is somethat hard because generation of certificate is not documented (neither in code or in commit). python3.4 --------------- I hae enabled gitlab test in order to improve quality I have fixed a regresssion in CVE-2022-48560 patch lead to Werror=declaration-after-statement. Fix it I have backported GH-4455 needed for fixing CVE-2022-4856[4-5]. I am going to fix testsuite: * fix testsuite with newer expat that crash a test case using XML External Entity * avoid testing with eatmydata of fdatasync * refresh dh key and investigate crypto test failure => these ones are fixed * backport bpo-38275: skip test that fail due to ssl policy. * Manually extract supported ssl version (introduced in python3.7 not backportable), this need a to parse openssl private structure common infrastructure ---------------------------------- I have improved part of documentation, reviewed debusine, and improving the security tracker embedded code copy script in order to be useful for ELTS. I have also helped other on IRC. A special thanks to Santiago for irc talk. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.