I've worked during november 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! ELTS: ==== The work consisted to fix libreoffice both for stretch and jessie. I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for sttech and CVE-2023-6185 for jessie. Upstream support for such old version is not existant and fixing these CVE is hard. Patches does not apply and some functionalities must be backported CVE-2023-6186 was hard to backport because some part of the patch does not apply due to old code base but also due to missing functionnalities in older version. So a risk and feature analysis have been carried before every steps. I have released ELA-1026-1 for stretch adn ELA-1025-1 for jessie LTS === libreoffice -------------- I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for libreoffice, releasing DLA 3703-1 ansible ---------- I have fixed CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115 for ansible The package on buster in outdated from upstream and outside official support. Code base move quickly and more package was splitted upstream, that render identifying and triaging the bug slow. Moreover I have contacted upstream and redhat CNA about CVE-2023-4380 CVE-2021-3533 CVE-2021-3532, that seems still opened upstream, and lack detail of about to fix these bugs. I have also improved the quality of the package by running autopkgtest and thus identifying a regression in the fix of CVE-2019-10206 I have released DLA-3695-1 I have also carried a risk analysis about CVE-2023-5764 zbar ------ Following previeous month fix, I have been contacted by suse about reproducing this bug. After a few mail of myself and suse, Washington University in St. Louis released the POC. tomcat9 ----------- Fix CVE-2023-46589. Need to backport of few other commit particularly one from 2021, for exception fixing Test suite pass ok, patch seems ok, but as supplementary safety measure ask for maintainer to review. Other tasks ========= I have also helped other on IRC. I tested the staging extended tree for helmut. A special thanks to Helmut for his work. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.