[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS and ELTS -- October 2023


This was my fourth month working on LTS and ELTS.  Thank you to Freexian
and Freexian's sponsors for making these projects possible:


- qemu

  - Released DLA-3604-1 fixing CVE-2020-24165, CVE-2023-0330 and

  - I couldn't get upstream's test for the fix for CVE-2023-0330 to run
    in a reasonable amount of time of trying, so I had to find a way to
    test it manually.  I used some information I found in an older
    security flaw in the lsi53c810 emulator to construct a test qemu
    invocation that I was happy would exercise the emulator.

- python3.7

  - Released DLA-3614-1 fixing CVE-2022-48560, CVE-2022-48564,
    CVE-2022-48565, CVE-2022-48566 and CVE-2023-40217.

- nghttp2

  - Released DLA-3621-1 fixing CVE-2020-11080 and CVE-2023-44487.

- nss

  - Released DLA-3634-1 fixing CVE-2020-25648 and CVE-2023-4421.

- Reviewed a failed piuparts pipeline for my ncurses upload last month,
  and decided that it didn't make sense to really dig into it, given the
  other testing I did for that upload.

- Read up on the EU's new Cyber Resilience Act, here:
  (pointer from the oss-security list)

- Other minor updates to team notes & documentation.

- Participated in monthly meeting, this month by Jitsi.


- python-reportlab

  - Released ELA-983-1 fixing CVE-2019-19450 and CVE-2020-28463.

  - I discovered that the package FTBFS because of some file not found
    errors in some cleanup code in setup.py.  I suppressed the errors,
    and used binary debdiff to confirm that nothing else was changed.
    debdiff is useful here because setup.py is involved in what exactly
    gets installed.

  - One new test added by the patch failed with Python 3 due to API
    changes in Python's core module for processing base64 encoded data.
    I hacked in a fix and confirmed the test passed, but decided not to
    commit or upload the change, at least for now.

Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: