Le mardi 2 janvier 2024, 14:53:22 UTC Bastien Roucariès a écrit : Hi, Obviously the report should be read for decembre 2023 > I've worked during november 2023 on the below listed packages, for Freexian > LTS/ELTS [1] > > Many thanks to Freexian and our sponsors [2] for providing this opportunity! > > > ELTS: > ==== > > The work consisted to fix libreoffice both for stretch and jessie. > I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for sttech and CVE-2023-6185 for jessie. > > Upstream support for such old version is not existant and fixing these CVE is hard. Patches does not apply > and some functionalities must be backported > > CVE-2023-6186 was hard to backport because some part of the patch does not apply due to old code base but also > due to missing functionnalities in older version. So a risk and feature analysis have been carried before every steps. > > I have released ELA-1026-1 for stretch adn ELA-1025-1 for jessie > > LTS > === > > libreoffice > -------------- > > I have fixed CVE-2020-12801 CVE-2020-12802 CVE-2020-12803 CVE-2023-6185 CVE-2023-6186 for libreoffice, releasing DLA 3703-1 > > ansible > ---------- > > I have fixed CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115 > for ansible > > The package on buster in outdated from upstream and outside official support. Code base move quickly and more package was splitted upstream, that render > identifying and triaging the bug slow. > > Moreover I have contacted upstream and redhat CNA about CVE-2023-4380 CVE-2021-3533 CVE-2021-3532, that seems still opened upstream, and lack detail of about to fix these bugs. > > I have also improved the quality of the package by running autopkgtest and thus identifying a regression in the fix of CVE-2019-10206 > > I have released DLA-3695-1 > > I have also carried a risk analysis about CVE-2023-5764 > > zbar > ------ > > Following previeous month fix, I have been contacted by suse about reproducing this bug. After a few mail of myself and suse, Washington University in St. Louis released the POC. > > tomcat9 > ----------- > > Fix CVE-2023-46589. Need to backport of few other commit > particularly one from 2021, for exception fixing > Test suite pass ok, patch seems ok, but as supplementary safety > measure ask for maintainer to review. > > Other tasks > ========= > > I have also helped other on IRC. > > I tested the staging extended tree for helmut. > > A special thanks to Helmut for his work. > > [1] https://www.freexian.com/lts/ > [2] https://www.freexian.com/lts/debian/#sponsors > > Cheers, > > rouca >
Attachment:
signature.asc
Description: This is a digitally signed message part.