(E)LTS report for March 2024
LTS:
cpio:
- Added note that upstream considers CVE-2023-7216 (sole unfixed CVE)
normal behavior.
fontforge:
- Released DLA-3754-1, fixing CVE-2020-5395, CVE-2020-5496,
CVE-2024-25081 and CVE-2024-25082.
- Fixed CVE-2024-25081 and CVE-2024-25082 in sid.
- Fixed CVE-2024-25081 and CVE-2024-25082 as DSA-5641-1
in bullseye and bookworm.
gtkwave:
- Released DLA-3785-1, upgrading to a new upstream version fixing
CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703
CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957
CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961
CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969
CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994
CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746
CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915
CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417
CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442
CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446
CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575
CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921
CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618
CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622
CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650
CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657
CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271
CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275
CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414
CVE-2023-39443 CVE-2023-39444
- Submitted a similar upgrade to unstable.
- Submitted similar upgrades to bullseye-security and
bookworm-security, where they were released as DSA-5653-1.
- The DSA and DLA were released in April, but they are listed
here since all work was done and submitted for review in March.
gross:
- Released DLA-3774-1, fixing CVE-2023-52159.
- Submitted the CVE-2023-52159 fix for the next bullseye and
bookworm point releases.
iwd:
- Determined that CVE-2024-28084 does not affect buster.
libuv1:
- Released DLA-3752-1, fixing CVE-2024-24806.
node-xml2js:
- Released DLA-3760-1, fixing CVE-2023-0842.
postgresql-11:
- Released DLA-3764-1, fixing CVE-2024-0985.
python2.7:
- Determined that CVE-2023-6597 does not affect python2.7.
- Released DLA-3771-1, fixing CVE-2024-0450.
python3.7:
- Released DLA-3772-1, fixing CVE-2023-6597 and CVE-2024-0450.
qemu:
- Determined that qemu 1:5.2+dfsg-11+deb11u3 in bullseye had fixed
CVE-2022-1050 (fix already applied in buster), not CVE-2023-1544.
- Determined that CVE-2023-1544 does not affect buster.
- Determined that CVE-2023-6683 does not affect <= bullseye.
- Determined that CVE-2024-24474 does not affect <= bullseye.
- Determined that CVE-2023-42467 does not affect <= bullseye.
- Released DLA-3759-1, fixing CVE-2023-2861, CVE-2023-3354
and CVE-2023-5088.
tar:
- Released DLA-3755-1, fixing CVE-2023-39804.
unadf:
- Released DLA-3762-1, fixing CVE-2016-1243 and CVE-2016-1244.
yard:
- Released DLA-3753-1, fixing CVE-2019-1020001 and CVE-2024-27285.
ELTS:
clamav:
- Determined that CVE-2024-20290 and CVE-2024-20328 (sole unfixed CVEs)
do not affect jessie or stretch.
imlib2:
- Determined that CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450
(sole unfixed CVEs) do not affect <= buster.
libgit2:
- Determined that CVE-2024-24575 does not affect jessie or stretch.
- Released ELA-1053-1, fixing CVE-2024-24577 in stretch.
libuv1:
- Determined that CVE-2024-24806 does not affect stretch.
postgresql-9.4:
- Released ELA-1061-1, fixing CVE-2024-0985 in jessie.
postgresql-9.6:
- Released ELA-1060-1, fixing CVE-2024-0985 in stretch.
putty:
- Determined that CVE-2020-14002 does not affect jessie or stretch.
- Determined that CVE-2023-48795 does not affect jessie or stretch.
python2.7:
- Released ELA-1065-1, fixing CVE-2024-0450 in jessie and stretch.
python3.4:
- Released ELA-1067-1, fixing CVE-2024-0450 in jessie.
python3.5:
- Released ELA-1066-1, fixing CVE-2024-0450 in stretch.
qemu:
- Determined that CVE-2024-26327 does not affect jessie or stretch.
- Determined that CVE-2024-26328 does not affect jessie or stretch.
- Released ELA-1063-1, fixing CVE-2020-14394, CVE-2023-0330, CVE-2023-2861,
CVE-2023-3180, CVE-2023-3354 and CVE-2023-5088 in stretch.
Reply to: