I've worked during December 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! opendkim - DLA-3680-1 (This is ELA-1017-1, but for buster) On mentors.d.n a RFS caught my eyes; the package maintainer has worked on a patch for CVE-2022-48521, which allowed an attacker to fake DKIM Authenication-Results headers. After interaction with them to learn more about the patch, I've sponsored the fix, prepared updates for stable and oldstable (via (o-)s-p-u) and started working on the ELTS package upload, which lead to ELA-1017-1 and continued in December to prepare an update for buster. intel-microcode - DLA-3680-1, ELA-1021-1 A Vulnerability in the Intel CPUs, nicknamed "reptar" has been fixed with this uploads for buster, stretch and jessie. osslsigncode - DLA-3693-1 the vulnerability is a potential, arbitary code executon vulnerability, when osslsigncode is used with crafted malicious binaries. haproxy - ELA1024-1 HAProxy formerly accepted the # (ie. the “pound” or “hash”) symbol as part of a URI component. This might have allowed remote attackers to obtain sensitive information upon HAProxy’s misinterpretation of a path_end rule, such as by routing index.html#.png to a static server. amanda - DLA-3681-1 (This is ELA-1007-1, but for buster) A few vulnerabilties, which would allow an local attacker that has access to the backup user/group to obtain root has been fixed. amd64-microcode was recorded as still vulnerable, however additional triaging revealed that CVE-2023-20592 was indeed fixed already with 3.20230719.1~debXu1 (X=8,9,10), which was not known at the time of the original upload for ELA-910-1) [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature