Hello,
This was my sixth month working on LTS and ELTS. Thank you to Freexian
and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
... and a Happy New Year to everyone reading.
LTS
- libssh
- Begun backporting fixes for CVE-2020-16135, CVE-2023-6004,
CVE-2023-6918 and CVE-2023-48795.
The code has changed quite significantly, and so I intend to ask for
a review of (some of) my backporting work before uploading.
For CVE-2023-48795, upstream's fix touches a new rekeying feature,
and I don't know whether that rekeying is necessary for the exploit
mitigation to be effective. I've asked upstream about it.
- tinymce
- Briefly triaged CVE-2023-48219.
This CVE concerned an cross-site scripting attack. I decided that I
was not in a position to make an assessment of its severity, and
added an internal note asking someone with more cross-site scripting
to take a look.
- Some catching up on debian-lts list traffic and GitLab notifications.
ELTS
- tomcat8
- Backported the fix for CVE-2023-46589 to jessie and stretch.
I couldn't completely finish the work because I couldn't get the new
tests to pass. I unclaimed the package in the hope that a fresh set
of eyes could see more quickly what was wrong.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature