Hello,
This was my fourth month working on LTS and ELTS. Thank you to Freexian
and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- qemu
- Released DLA-3604-1 fixing CVE-2020-24165, CVE-2023-0330 and
CVE-2023-3180.
- I couldn't get upstream's test for the fix for CVE-2023-0330 to run
in a reasonable amount of time of trying, so I had to find a way to
test it manually. I used some information I found in an older
security flaw in the lsi53c810 emulator to construct a test qemu
invocation that I was happy would exercise the emulator.
- python3.7
- Released DLA-3614-1 fixing CVE-2022-48560, CVE-2022-48564,
CVE-2022-48565, CVE-2022-48566 and CVE-2023-40217.
- nghttp2
- Released DLA-3621-1 fixing CVE-2020-11080 and CVE-2023-44487.
- nss
- Released DLA-3634-1 fixing CVE-2020-25648 and CVE-2023-4421.
- Reviewed a failed piuparts pipeline for my ncurses upload last month,
and decided that it didn't make sense to really dig into it, given the
other testing I did for that upload.
- Read up on the EU's new Cyber Resilience Act, here:
<https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act>
(pointer from the oss-security list)
- Other minor updates to team notes & documentation.
- Participated in monthly meeting, this month by Jitsi.
ELTS
- python-reportlab
- Released ELA-983-1 fixing CVE-2019-19450 and CVE-2020-28463.
- I discovered that the package FTBFS because of some file not found
errors in some cleanup code in setup.py. I suppressed the errors,
and used binary debdiff to confirm that nothing else was changed.
debdiff is useful here because setup.py is involved in what exactly
gets installed.
- One new test added by the patch failed with Python 3 due to API
changes in Python's core module for processing base64 encoded data.
I hacked in a fix and confirmed the test passed, but decided not to
commit or upload the change, at least for now.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature