[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(E)LTS report for December 2023

I've worked during December 2023 on the below listed packages, for
Freexian LTS/ELTS [1] 

Many thanks to Freexian and sponsors [2] for providing this opportunity!

opendkim - DLA-3680-1
 (This is ELA-1017-1, but for buster)
 On mentors.d.n a RFS caught my eyes; the package maintainer has
 worked on a patch for CVE-2022-48521, which allowed an attacker to
 fake DKIM Authenication-Results headers.  After interaction with
 them to learn more about the patch, I've sponsored the fix, prepared
 updates for stable and oldstable (via (o-)s-p-u) and started working
 on the ELTS package upload, which lead to ELA-1017-1 and continued
 in December to prepare an update for buster.

intel-microcode - DLA-3680-1, ELA-1021-1
 A Vulnerability in the Intel CPUs, nicknamed "reptar" has been fixed
 with this uploads for buster, stretch and jessie.

osslsigncode - DLA-3693-1
 the vulnerability is a potential, arbitary code executon vulnerability, 
 when osslsigncode is used with crafted malicious binaries.

haproxy - ELA1024-1
 HAProxy formerly accepted the # (ie. the “pound” or
 “hash”) symbol as part of a URI component. This might have allowed
 remote attackers to obtain sensitive information upon HAProxy’s
 misinterpretation of a path_end rule, such as by routing index.html#.png
 to a static server.

amanda - DLA-3681-1
 (This is ELA-1007-1, but for buster)
 A few vulnerabilties, which would allow an local attacker that has
 access to the backup user/group to obtain root has been fixed.

amd64-microcode was recorded as still vulnerable, however additional
 triaging revealed that CVE-2023-20592 was indeed fixed already with
 3.20230719.1~debXu1 (X=8,9,10), which was not known at the time of the
 original upload for ELA-910-1) 

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors


Attachment: signature.asc
Description: PGP signature

Reply to: