E?LTS report for april
I've worked during april on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
Putty
--------
I have tested putty against terrapin and released DLA 3794-1
Fix of CVE-2024-31497 are proposed and wait review
gtkwave
------------
I have reviewed changes by Adrian Bunk.
shim
-------
I have reviewed CVE and triaged. I have proposed a fix for unstable. Note that shim need a fullbackport (like microcode) for security release.
I order to ease the testing of this strategic package I have created a autopkgtestsuite. It will ease to debug boot failure. Note that this package need extra caution due to the potential of breakage (no boot).
I am working with maintainer in order to get more testable test case.
wpa
-----
Buster was fixed and in order to avoid an upgrade regression, I fixed CVE-2023-52160 unstable. I am proposing PU for bookworm/bullseye
zookeeper
---------------
Following previous month I build ookworm CVE-2024-23944 and proposes a PU
I investigated CVE-2024-23944/bullseye and earlier. Seems information leak is present but different may be warrant a no-dsa wait for security team
libjson-smart
-------------------
In order to avoid an upgrade regression I fix CVE-2023-1370/sid. PU are on the way
apache2
------------
I am reviewing the change of maintainer Yadd for buster. I discover that fossil and unreleated package are broken by fix of CVE-2024-24795. I am investigating other kind of breakage.
ELTS
====
sendmail
-------------
Following previous month I fix jessie NUL REJECT.
We tried we ubuntu team to clarify border case of SMTP smuggling attack. We post a risk analysis and disclose some finding at
https://marc.info/?l=oss-security&m=171447187004229&w=2
Partial conclusion is that SMTP standard need to be rewritten to take in account the SMTP smuggling risk. We have a few meeting with standard body members about this issue.
It was mainly risk analysis and contact with other SMTP implementation.
apache2
------------
Backport CVE-2023-31122/CVE-2023-38709/CVE-2024-24795 to stretch
Propose fix for jessie
Wait for review. Try to find POC by contacting upstream.
fossil
-------
Try to work on fix. Backport is likely the best stuff to do due to huge changes.
putty
--------
Verify that putty/stretch putty/jessie is unaffected by CVE-2024-31497. Filezilla is still affected
Other works
==========
I attempt montly meeting of teams.
A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler.
Cheers
rouca
[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors
Cheers,
rouca
Reply to: