Report for (E)?LTS of mars

To: debian-lts@lists.debian.org
Subject: Report for (E)?LTS of mars
From: Bastien Roucariès <rouca@debian.org>
Date: Mon, 01 Apr 2024 14:30:56 +0000
Message-id: <[🔎] 2732251.mvXUDI8C0e@portable-bastien>

I've worked during mars on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

composer
--------------

I triaged #1063603/CVE-2024-24821 and confirmed that this CVE does not affect buster.
I backported local path fixes
I backported CVE-2023-43655
I finally Release DLA-3777-1

curl
-----

I tested the fixes created previous month and I release DLA-3763-1

sendmail
-------------

I tested with smtp smurgling attack. I contacted for clarification upstream

imagemagick
-------------------

I determined CVE-2022-3213 not affected before trixie
I determined CVE-2023-2157 not affected before buster
I determined CVE-2021-40211 does not affect bullseye (this was complicated due to being reintroduced by an upstream fix of other CVE)
I released imagemagick 8:6.9.10.23+dfsg-2.1+deb10u7 thus DLA 3767-1 fixing CVE-2022-48541

putty
-------

Due to difficulty to backport terapin fixes, I proposed a backport of bullseye

zookeeper
----------------

I fixed CVE-2024-23944/sid
I fixed CVE-2024-23944/bullseye
Unfortunlatly patches does not apply cleanly to buster/stretch, due to huge code change. I contacted upstream in order to get a testsuite.

ELTS
====

wpa
------

I backported fixes for CVE-2023-52160 an authentification bypass. I added salsa CI test and released ELA-1064-1

curl
-----

I fixes a previously made patch thanks to a review by roberto. I released ELA-1068-1

sendmail
-------------

I backported fix of CVE-2023-51765 to stretch. Test is ok
Jessie backport was harder due to an old toolchain (CBFS with extract tarball).

zookeeper
---------------

I investigate the status of CVE-2024-23944

imagemagick
--------------------

Following previous month effort tried to fix the recursive SVG issue.

Other work
=========

I attempt montly meeting of teams.

A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler.

Cheers

rouca

[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Debian LTS report for March 2024
Next by Date: Debian LTS and ELTS -- March 2024
Previous by thread: Debian LTS report for March 2024
Next by thread: Debian LTS and ELTS -- March 2024
Index(es):
- Date
- Thread