E?LTS report for april

To: debian-lts@lists.debian.org
Subject: E?LTS report for april
From: Bastien Roucariès <rouca@debian.org>
Date: Wed, 01 May 2024 15:11:06 +0000
Message-id: <[🔎] 21955025.JuJIocl79i@portable-bastien>

I've worked during april on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

Putty
--------

I have tested putty against terrapin and released DLA 3794-1

Fix of CVE-2024-31497 are proposed and wait review

gtkwave
------------

I have reviewed changes by Adrian Bunk.

shim
-------

I have reviewed CVE and triaged. I have proposed  a fix for unstable. Note that shim need a fullbackport (like microcode) for security release.

I order to ease the testing of this strategic package I have created a autopkgtestsuite. It will ease to debug boot failure. Note that this package need extra caution due to the potential of breakage (no boot).

I am working with maintainer in order to get more testable test case.

wpa
-----

Buster was fixed and in order to avoid an upgrade regression, I fixed CVE-2023-52160 unstable. I am proposing PU for bookworm/bullseye

zookeeper
---------------

Following previous month I build ookworm CVE-2024-23944 and proposes a PU
I investigated CVE-2024-23944/bullseye and earlier. Seems information leak is present but different may be warrant a no-dsa wait for security team

libjson-smart
-------------------

In order to avoid an upgrade regression I fix CVE-2023-1370/sid. PU are on the way

apache2
------------

I am reviewing the change of maintainer Yadd for buster. I discover that fossil and unreleated package are broken by fix of CVE-2024-24795. I am investigating other kind of breakage.

ELTS
====

sendmail
-------------
Following previous month I fix jessie NUL REJECT.

We tried we ubuntu team to clarify border case of SMTP smuggling attack. We post a risk analysis and disclose some finding at 
https://marc.info/?l=oss-security&m=171447187004229&w=2

Partial conclusion is that SMTP standard need to be rewritten to take in account the SMTP smuggling risk. We have a few meeting with standard body members about this issue.
It was mainly risk analysis and contact with other SMTP implementation.

apache2
------------

Backport CVE-2023-31122/CVE-2023-38709/CVE-2024-24795 to stretch
Propose fix for jessie
Wait for review. Try to find POC by contacting upstream.

fossil
-------

Try to work on fix. Backport is likely the best stuff to do due to huge changes.

putty
--------

Verify that putty/stretch putty/jessie is unaffected by CVE-2024-31497. Filezilla is still affected


Other works
==========

I attempt montly meeting of teams.

A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler.


Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Cheers,

rouca

Reply to:

Prev by Date: Debian LTS report for April 2024
Next by Date: Debian LTS and ELTS - April 2024
Previous by thread: Debian LTS report for April 2024
Next by thread: Debian LTS and ELTS - April 2024
Index(es):
- Date
- Thread