Debian LTS and ELTS -- March 2024

To: debian-lts@lists.debian.org
Subject: Debian LTS and ELTS -- March 2024
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Sun, 31 Mar 2024 21:09:02 +0800
Message-id: <[🔎] 87jzliwntd.fsf@melete.silentflame.com>

Hello,

This was my ninth month working on LTS and ELTS.  Thank you to Freexian
and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- pillow

  - Released DLA-3768-1 fixing CVE-2021-23437 and CVE-2023-44271.

  - My DLA-3768-1 also included a follow-up fix for CVE-2022-22817.
    A fix for this CVE had been announced in DSA-5053-1, but I realised
    that we hadn't included a follow-up fix that upstream had made,
    covering some additional cases.

    I also discovered that our backport of the automated test for the
    vulnerability having been closed delivered false positives.  I had
    to learn a bit more about Python's evaluation model in order to be
    sure that my revised backport of the test really worked.
    Thanks to Chris Lamb, one of the most experienced Python developers
    on the LTS team, for review here.

  - Some of these CVEs are unfixed in bullseye and bookworm, which will
    eventually become LTS distributions.
    I have offered my help to the Security Team to finish preparing the
    fixes for including in point releases.

- bind9

  - Started work on backporting upstream fixes for four CVEs from 2023.

- Correspondence, catching up on meeting logs, etc..  We had a number of
  valuable process improvements this month, one discussed below.

ELTS

- pillow

  - Released ELA-1059-1 fixing CVE-2021-23437, CVE-2022-22817,
    CVE-2023-44271 & CVE-2023-50447.

  - Updated tracker information for CVE-2019-16865 & CVE-2022-45198.

    CVE-2019-16865 was marked as ignored for the same reason that
    several other CVEs were marked as ignored.  But I realised that the
    vulnerable code is not actually present in stretch and buster.

    I fixed similar incomplete tracking regarding CVE-2022-45198, across
    the LTS and ELTS suites.

- This month, I also carefully reviewed some team discussions regarding
  these different states which are other than plain "vulnerable" and
  "fixed".  We discovered that different team members were thinking of
  the tags slightly differently.  Although it's not likely that these
  differences of opinion have led to any serious vulnerabilities going
  unfixed, they are likely to caused us to work less efficiently at
  various points.

  One of the things that has always most interested me about Debian,
  from the very beginning of my involvement as a volunteer, is how we
  can design processes and tooling that suit intermittent contributor
  availability and communication, and handing over work efficiently.
  As a result, I found these clarificatory discussions particularly
  interesting.

-- 
Sean Whitton

Reply to:

Prev by Date: Re: gtkwave update for {bookworm,bullseye,buster}-security
Next by Date: Re: bind9 LTS
Previous by thread: Re: gtkwave update for {bookworm,bullseye,buster}-security
Next by thread: Re: bind9 LTS
Index(es):
- Date
- Thread