(E)LTS report for March 2024

To: debian-lts@lists.debian.org
Subject: (E)LTS report for March 2024
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 9 Apr 2024 23:46:23 +0300
Message-id: <ZhWpH0ID/mKnCdja@localhost>

LTS:

cpio:
- Added note that upstream considers CVE-2023-7216 (sole unfixed CVE)
  normal behavior.

fontforge:
- Released DLA-3754-1, fixing CVE-2020-5395, CVE-2020-5496,
  CVE-2024-25081 and CVE-2024-25082.
- Fixed CVE-2024-25081 and CVE-2024-25082 in sid.
- Fixed CVE-2024-25081 and CVE-2024-25082 as DSA-5641-1
  in bullseye and bookworm.

gtkwave:
- Released DLA-3785-1, upgrading to a new upstream version fixing
  CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
  CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703
  CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957
  CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961
  CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969
  CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994
  CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746
  CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915
  CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417
  CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442
  CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446
  CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575
  CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921
  CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618
  CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622
  CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650
  CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657
  CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271
  CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275
  CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414
  CVE-2023-39443 CVE-2023-39444
- Submitted a similar upgrade to unstable.
- Submitted similar upgrades to bullseye-security and
  bookworm-security, where they were released as DSA-5653-1.
- The DSA and DLA were released in April, but they are listed
  here since all work was done and submitted for review in March.

gross:
- Released DLA-3774-1, fixing CVE-2023-52159.
- Submitted the CVE-2023-52159 fix for the next bullseye and
  bookworm point releases.

iwd:
- Determined that CVE-2024-28084 does not affect buster.

libuv1:
- Released DLA-3752-1, fixing CVE-2024-24806.

node-xml2js:
- Released DLA-3760-1, fixing CVE-2023-0842.

postgresql-11:
- Released DLA-3764-1, fixing CVE-2024-0985.

python2.7:
- Determined that CVE-2023-6597 does not affect python2.7.
- Released DLA-3771-1, fixing CVE-2024-0450.

python3.7:
- Released DLA-3772-1, fixing CVE-2023-6597 and CVE-2024-0450.

qemu:
- Determined that qemu 1:5.2+dfsg-11+deb11u3 in bullseye had fixed
  CVE-2022-1050 (fix already applied in buster), not CVE-2023-1544.
- Determined that CVE-2023-1544 does not affect buster.
- Determined that CVE-2023-6683 does not affect <= bullseye.
- Determined that CVE-2024-24474 does not affect <= bullseye.
- Determined that CVE-2023-42467 does not affect <= bullseye.
- Released DLA-3759-1, fixing CVE-2023-2861, CVE-2023-3354
  and CVE-2023-5088.

tar:
- Released DLA-3755-1, fixing CVE-2023-39804.

unadf:
- Released DLA-3762-1, fixing CVE-2016-1243 and CVE-2016-1244.

yard:
- Released DLA-3753-1, fixing CVE-2019-1020001 and CVE-2024-27285.


ELTS:

clamav:
- Determined that CVE-2024-20290 and CVE-2024-20328 (sole unfixed CVEs)
  do not affect jessie or stretch.

imlib2:
- Determined that CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450
  (sole unfixed CVEs) do not affect <= buster.

libgit2:
- Determined that CVE-2024-24575 does not affect jessie or stretch.
- Released ELA-1053-1, fixing CVE-2024-24577 in stretch.

libuv1:
- Determined that CVE-2024-24806 does not affect stretch.

postgresql-9.4:
- Released ELA-1061-1, fixing CVE-2024-0985 in jessie.

postgresql-9.6:
- Released ELA-1060-1, fixing CVE-2024-0985 in stretch.

putty:
- Determined that CVE-2020-14002 does not affect jessie or stretch.
- Determined that CVE-2023-48795 does not affect jessie or stretch.

python2.7:
- Released ELA-1065-1, fixing CVE-2024-0450 in jessie and stretch.

python3.4:
- Released ELA-1067-1, fixing CVE-2024-0450 in jessie.

python3.5:
- Released ELA-1066-1, fixing CVE-2024-0450 in stretch.

qemu:
- Determined that CVE-2024-26327 does not affect jessie or stretch.
- Determined that CVE-2024-26328 does not affect jessie or stretch.
- Released ELA-1063-1, fixing CVE-2020-14394, CVE-2023-0330, CVE-2023-2861,
  CVE-2023-3180, CVE-2023-3354 and CVE-2023-5088 in stretch.

Reply to:

Prev by Date: Re: How to handle freeimage package
Next by Date: Re: Guidance for CVE triage and listing packages in dla-needed.txt
Previous by thread: (E)LTS report for March 2024
Next by thread: Antw: [EXT] [SECURITY] [DLA 3779-1] tomcat9 security update (Out of Office)
Index(es):
- Date
- Thread