I've worked during November 2023 on the below listed packages, for
Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity!
LTS:
====
freerdp2: (DLA-3654-1)
Third time is a charme. After tackling it in September and October,
with DLA-3606-1 fixing a lot of the original open 60 vulnerabilties,
this releases focused on the remaining ones, in total fixing nine
vulnerabilities. (For details on those please refer to the
announcements.)
The careful reader of the security tracker will note that there are
currently four unhandled CVES: The reason for those is it was either
impossible to locate the correct patch, and requests for help to
upstream were unfortunatly not answered.
In the case of CVE-2021-41159, the complete RFC gatway code had been
refactored, which makes the patch imfeasible to backport to buster.
Affected users might want to use the posted workarounds. [A]
To tackle the security issues in stable.
I reached out the release team to see if they could approve a new
upstream version for bookworm (#1054915), but this has not received
feedback yet.
For oldstable I'm planning to prepare a fix based on the buster the
package package, but didn't find time yet to do so.
[A] https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq
lwip: (DLA-3655-1)
CVE-2020-22283 fixes a buffer overflow vulnerabilty.
On this package I could enhance/test the LTS forking guide
to check what needs to be done to add a missing pristine-tar branch.
ELTS
====
amanda: (ELA-1007-1)
A few vulnerabilties, which would allow an local attacker that has
access to the backup user/group to obtain root has been fixed.
There are two more vulnerabilties, CVE-2016-10729 and -10730.
(Both vulnerabities were marked "unimportant" in the tracker)
Local tests indicates that those have been fixed already, as their
PoC do not PoC anymore. However, as I could not locate the exact
version where this has been fixed, I did not mark the as fixed
in the security tracker.
opendkim: (ELA-1017-1)
On mentors.d.n a RFS caught my eyes; the package maintainer has
worked on a patch for CVE-2022-48521, which allowed an attacker to
fake DKIM Authenication-Results headers. After interaction with
them to learn more about the patch, I've sponsored the fix, prepared
updates for stable and oldstable (via (o-)s-p-u) and started working
on the ELTS package upload, which lead to ELA-1017-1.
[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors
Cheers,
--
tobi
Attachment:
signature.asc
Description: PGP signature