I've worked during february on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === sudo ------- I have released DLA 3732-1, following previous month work. Ansible ---------- Following previous month work, I have worked with CNA and upstream, and triaged a few CVEs. For instance CVE-2023-4237 does not apply imagemagick ------------------- I have made a release by backporting patches from unstable: - Fix CVE-2023-1289 - Fix CVE-2023-34151 - Fix CVE-2023-5341 Some CVEs does not apply to buster for instance CVE-2022-1114. As usual for imagemagick backport may need to apply unreleated patches, due to huge change in code base, or backport of specific functionalities. I have therefore released DLA-3737-1 docker ---------- I investigated CVE-2024-24557: patch does not apply but workarround exist, thus this bug might by tagged no-DSA sendmail ------------- sendmail upstream does not have a public VCS tree, therefore I tried manually to isolate smtp smurgling fixes (CVE-2023-51765) in order to get a the minimal patch for fixing this security problem. Work is also on going with security team and ubuntu for getting a reproducing test case and infrastructure. composer -------------- With maintainer fix bookworm/bullseye. Patch on my side (fixing (#1063603/CVE-2024-24821), was incomplete due to debian specific problem , that were investigated in collaboration with David Prevot I have added testsuite for buster, fixing it using buster depends, work is on going for buster but need backporting some external functionnalities ELTS ==== sudo ------- Following previous month work I released ELA-1042-1 optipng ----------- I fixed CVE-2023-43907 and CVE-2015-7802/jessie. I released ELA-1044-1 phpseclib -------------- backport buster to stretch and released ELA-1045-1 php-phseclib ------------------- risk analysis show it is too risky and intrusive to backport individual patches I thus backported the buster release that is a stable branch update to strech and released ELA-1050-1 imagemagick ------------------ I am attending to backport patches from buster. First I triagged bug and noticied that CVE-2023-3745 is not present Recursion fixes even if patches could be made appliable was not efficient due to missing part of recursion infrastructure in stretch. I identified commit ddc718eaa93767ceae286e171296b5fbb0bbd812 as the main blocker. As usual with imagemagick progess is slow due to large code base and complexity of code. Other work ========= I attempt montly meeting of teams. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Attachment:
signature.asc
Description: This is a digitally signed message part.