Hello, This was my eighth month working on LTS and ELTS. Thank you to Freexian and Freexian's sponsors for making these projects possible: <https://www.freexian.com/lts/debian/#sponsors> LTS - libssh - Finished backporting fixes for CVE-2020-16135, CVE-2023-6004, CVE-2023-6918 and CVE-2023-48795. I was able to finish backporting upstream's fixes to the version of libssh that we have in buster. The patches are different to upstream's in several ways, so the backporting requires review. I've documented the situation and put the package back in the queue, seeking peer review. Jakub Jelen of RedHat, one of libssh's developers, has been very helpful in answering some questions. There remains some doubt about whether the fix I've committed for CVE-2023-6918 is safe, but Jakub has provided some guidance on determining whether it is. I intend to wait for a review from another LTS team member before proceeding. - libgit2 - Released DLA-3742-1 fixing CVE-2024-24577. - pillow - While working on an ELTS update for Pillow, I discovered that our fix for an old vulnerability, CVE-2022-22817, may not be complete. I'm still investigating just which suites require further changes. ELTS - pillow - I've been working to prepare a fix for CVE-2023-50447. In the process, I discovered that our fix for an old vulnerability, CVE-2022-22817, may be incomplete, and I'm now investigating. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature