I've worked during january on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! ELTS: ==== tinyxml ---------- Fix CVE-2023-34194 and release ELA-1029-1. Note that this project is dead upstram, but a fork seems active. Opened a bug report about switching to fork. mariadb10.1 ------------------ Tried to assess by risk analysis the best path to upgrade mariadb. Proposed to team a few actions. sudo -------- Triaged CVE particularly check CVE-2023-42465 and CVE-2023-7090 not vulnerable for stretch/jessie Apply CVE-2023-2848[67] to stretch. For jessie risk of regression is too hard due to lbuf backport. Add a automatic testsuite for stretch Wait for review by sudo maintainer. Tried and succeeded to backport strecht to jessie. Wait for risk analysis by other member of the team. postfix ---------- Add patch for stretch/jessie for fixing SMTP smurgling. Allow compilation on backported kernel like in ELTS by patching the makefile. I also fixed buster in order to allow smooth CVEless upgrade Autopkgtest fail check unfortunatly, thus I fixed the regression testing testsuite. I released ELA-1039-1 and DLA 3725-1 curl ------ Backport CVE-2023-27534, CVE-2023-28321, CVE-2023-28322, CVE-2023-46218 to stretch Waiting for rewiew by maintainer LTS === Putty ------- I tried to backport CVE-2023-48795/CVE-2021-36367/CVE-2020-14002 from bullseye, and begin a risk analysis of the backport. Massive code change will render backport hard and I thus relinquish the package. webpack ------------ Triaged CVE-2023-28154 that is not present in webpack3. Test and close actions. tomcat9 ----------- Following previous month work I reviewed changes and release DLA-3707-1 keystone & subunit ---------------------------- I fixed CVE-2021-38155/CVE-2021-3563. Unfortunatly I was not able to compile the fix due to a regression in python subunit. I traced this to a short read bug upstream (https://github.com/testing-cabal/subunit/pull/40). I backported this fix. I thus released a bug fix DLA for subunit DLA-3713-1. Test shown now that keystone is fixed and I released DLA-3714-1. mariadb10.3 ------------------ I fixed the last opened CVE CVE-2023-22084. Unfortunately, CVE fix are not indicated by upstream git commit. So I contacted upstream security officier, that give me the git commit. Mariadb upstream will likely publish a summary of CVE fix and git commit associated in order to improve downstream tracking. I backaported the fix from mariadb 10.11 to 10.3 then I tested using the embdeded test suite. Unfortunately I have resorted to manual testing due to problem with salsa infrastructure. The problem was resorted to pristine-tar bug and we are going to investigate. I released DLA-3722-1 ansible ---------- Following previous month work and a long mail exchange with redhat security report team about about CVE-2021-3533 and CVE-2021-3532, redhat CNA retired (rejected) this two CVEs as invalid. sudo ------- I proposed fix for CVE-2023-28486/CVE-2023-28487 but using backport from bullseye. I found a RC bug #1061272 by code review, a few part of sudo are not recompiled from source, that is problematic security wise for such a program. I solved this RC bug that block other CVE. I am now waiting from review by maintainer about this package, due to huge security implication of sudo. curl ----- Backport CVE-2023-27534 to buster I contacted SuSe security and reported their fixes as incomplete. Rewrite from scratch Waiting for review by maintainer Other work ========= I tried to help santiago with testing infrastructure. A special thanks to Wietse Venema from postfix. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.