(E)?LTS report for november

To: debian-lts@lists.debian.org
Subject: (E)?LTS report for november
From: Bastien Roucariès <rouca@debian.org>
Date: Tue, 02 Jan 2024 14:53:22 +0000
Message-id: <[🔎] 6114838.9xZEpoLup5@portable-bastien>

I've worked during november 2023 on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!


ELTS:
====

The work consisted to fix libreoffice both for stretch and jessie.
I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for sttech and CVE-2023-6185 for jessie.

Upstream support for such old version is not existant and fixing these CVE is hard. Patches does not apply
and some functionalities must be backported

CVE-2023-6186 was hard to backport because some part of the patch does not apply due to old code base but also
due to missing functionnalities in older version. So a risk and feature analysis have been carried before every steps.

I have released ELA-1026-1 for stretch adn ELA-1025-1 for jessie

LTS
===

libreoffice
--------------

I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for libreoffice, releasing DLA 3703-1

ansible
----------

I have fixed CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
for ansible

The package on buster in outdated from upstream and outside official support. Code base move quickly and more package was splitted upstream, that render
identifying and triaging the bug slow.

Moreover I have contacted upstream and redhat CNA about  CVE-2023-4380 CVE-2021-3533 CVE-2021-3532, that seems still opened upstream, and lack detail of about to fix these bugs.

I have also improved the quality of the package by running autopkgtest and thus identifying a regression in the fix of CVE-2019-10206 

I have released DLA-3695-1

I have also carried a risk analysis about CVE-2023-5764

zbar
------

Following previeous month fix, I have been contacted by suse about reproducing this bug. After a few mail of myself and suse, Washington University in St. Louis released the POC.

tomcat9
-----------

Fix CVE-2023-46589. Need to backport of few other commit
particularly one from 2021, for exception fixing
Test suite pass ok, patch seems ok, but as supplementary safety
measure ask for maintainer to review.

Other tasks
=========

I have also helped other on IRC.

I tested the staging extended tree for helmut.

A special thanks to Helmut for his work.

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Cheers,

rouca

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: (E)?LTS report for december
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Debian LTS and ELTS - December 2023
Next by Date: Re: (E)?LTS report for december
Previous by thread: Debian LTS and ELTS - December 2023
Next by thread: Re: (E)?LTS report for december
Index(es):
- Date
- Thread