Hello,
This was my eighth month working on LTS and ELTS. Thank you to Freexian
and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- libssh
- Finished backporting fixes for CVE-2020-16135, CVE-2023-6004,
CVE-2023-6918 and CVE-2023-48795.
I was able to finish backporting upstream's fixes to the version of
libssh that we have in buster. The patches are different to
upstream's in several ways, so the backporting requires review.
I've documented the situation and put the package back in the queue,
seeking peer review.
Jakub Jelen of RedHat, one of libssh's developers, has been very
helpful in answering some questions. There remains some doubt about
whether the fix I've committed for CVE-2023-6918 is safe, but Jakub
has provided some guidance on determining whether it is. I intend
to wait for a review from another LTS team member before proceeding.
- libgit2
- Released DLA-3742-1 fixing CVE-2024-24577.
- pillow
- While working on an ELTS update for Pillow, I discovered that our
fix for an old vulnerability, CVE-2022-22817, may not be complete.
I'm still investigating just which suites require further changes.
ELTS
- pillow
- I've been working to prepare a fix for CVE-2023-50447.
In the process, I discovered that our fix for an old vulnerability,
CVE-2022-22817, may be incomplete, and I'm now investigating.
--
Sean Whitton
Attachment:
signature.asc
Description: PGP signature