[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)LTS report for November 2023

I've worked during November 2023 on the below listed packages, for
Freexian LTS/ELTS [1] 

Many thanks to Freexian and sponsors [2] for providing this opportunity!


freerdp2: (DLA-3654-1) 
  Third time is a charme. After tackling it in September and October,
  with DLA-3606-1 fixing a lot of the original open 60 vulnerabilties,
  this releases focused on the remaining ones, in total fixing nine
  vulnerabilities. (For details on those please refer to the

  The careful reader of the security tracker will note that there are
  currently four unhandled CVES: The reason for those is it was either
  impossible to locate the correct patch, and requests for help  to
  upstream were unfortunatly not answered.
  In the case of CVE-2021-41159, the complete RFC gatway code had been
  refactored, which makes the patch imfeasible to backport to buster.
  Affected users might want to use the posted workarounds. [A]

  To tackle the security issues in stable.
  I reached out the release team to see if they could approve a new
  upstream version for bookworm (#1054915), but this has not received
  feedback yet.
  For oldstable I'm planning to prepare a fix based on the buster the
  package package, but didn't find time yet to do so. 

[A] https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq

lwip: (DLA-3655-1)
  CVE-2020-22283 fixes a buffer overflow vulnerabilty.
  On this package I could enhance/test the LTS forking guide
  to check what needs to be done to add a missing pristine-tar branch.


amanda: (ELA-1007-1)
   A few vulnerabilties, which would allow an local attacker that has
   access to the backup user/group to obtain root has been fixed.
   There are two more vulnerabilties, CVE-2016-10729 and -10730.
   (Both vulnerabities were marked "unimportant" in the tracker)
   Local tests indicates that those have been fixed already, as their
   PoC do not PoC anymore. However, as I could not locate the exact
   version where this has been fixed, I did not mark the as fixed
   in the security tracker. 

opendkim: (ELA-1017-1)
   On mentors.d.n a RFS caught my eyes; the package maintainer has
   worked on a patch for CVE-2022-48521, which allowed an attacker to
   fake DKIM Authenication-Results headers.  After interaction with
   them to learn more about the patch, I've sponsored the fix, prepared
   updates for stable and oldstable (via (o-)s-p-u) and started working
   on the ELTS package upload, which lead to ELA-1017-1. 

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: PGP signature

Reply to: