[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS and ELTS -- December 2023


This was my sixth month working on LTS and ELTS.  Thank you to Freexian
and Freexian's sponsors for making these projects possible:

... and a Happy New Year to everyone reading.


- libssh

  - Begun backporting fixes for CVE-2020-16135, CVE-2023-6004,
    CVE-2023-6918 and CVE-2023-48795.

    The code has changed quite significantly, and so I intend to ask for
    a review of (some of) my backporting work before uploading.

    For CVE-2023-48795, upstream's fix touches a new rekeying feature,
    and I don't know whether that rekeying is necessary for the exploit
    mitigation to be effective.  I've asked upstream about it.

- tinymce

  - Briefly triaged CVE-2023-48219.

    This CVE concerned an cross-site scripting attack.  I decided that I
    was not in a position to make an assessment of its severity, and
    added an internal note asking someone with more cross-site scripting
    to take a look.

- Some catching up on debian-lts list traffic and GitLab notifications.


- tomcat8

  - Backported the fix for CVE-2023-46589 to jessie and stretch.

    I couldn't completely finish the work because I couldn't get the new
    tests to pass.  I unclaimed the package in the hope that a fresh set
    of eyes could see more quickly what was wrong.

Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: