[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Report for (E)?LTS of may



I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

apache2
------------

I investigate the port of bullseye proposed by yadd the maintainer, and made some change in order
to get apache2 in shape for buster.

I forward ported buster testsuite to sid

As usual for apache2, testing was done with particular care and cross checked by yadd.

I released DLA 3818-1 fixing CVE-2019-17567, CVE-2023-31122, CVE-2023-38709, CVE-2023-45802, CVE-2024-24795, CVE-2024-27316


sendmail
-------------

I continue the work to close CVE-2023-51765

I worked along Andreas Beckmann to configure RejectNUL=True. Test was extensive and thus uploaded to sid

I proposed Bookworm PU sendmail/8.17.1.9-2+deb12u1

I will backport this fix after a days in testing/sid to buster/stretch, by special advice of security teams (sendmail fixes should be time tested)


shim
-------

I backport fixes to to buster

I created the test suite (autopkgtest) for buster. Note that bug in shim are likely critical due to breaking boot.

I released DLA 3813-1 fixing CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551


fossil
-------

Apache2 fixes breaks unrelated packages particularly fossil. 
Indeed the fix of CVE-2024-24795, may break unrelated
CGI-BIN scripts. As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field
of the HTTP reply header from the CGI programs back to the client
in cases where the connection is to be closed and the client
is able to read until end-of-file. 

I proposed a bookworm fixes

I proposed PU to bullseye

I backported to buster and released DLA 3819-1

libreoffice
---------------

See ELTS


ELTS
====

putty
-------

I tryied to backport CVE-2021-36367 without success.

uwsgi
--------
I triaged and determined that apache2 CVE-2024-24795 affected older uwsgi
I fixed CVE-2024-24795 and released ELA-1095-1

composer
---------------

I fixed CVE-2022-24828 and CVE-2023-43655

I investigated failure of test and fix

I released ELA-1096-1 for composer

libreoffice
---------------

I investigated CVE-2024-3044. I determined this security bug is only a concern for stretch.

I backport to buster. I released  DLA-3821-1.

I port to stretch and released ELA-1097-1
 
apache2
------------

I fix autopkgtest
I released partial update ELA-1098-1 fixing CVE-2023-31122 CVE-2024-24795 for jessie and 
ELA-1099-1 fixing CVE-2023-31122 CVE-2023-38709 CVE-2024-24795 for stretch

I backported CVE-2023-38709 jessie, that need functionality backport and asked for review. Review identified some minor problems that were fixed (thanks to roberto)

I tryied to backport the remaining HTTP2 bug on stretch. But code change was so massive that simple backport was not possible.

I thus backport the whole http2 module from 2.4.59 to stretch version, by backporting missing functionnality or API (particularly the StrictHostCheck functionality)

Due to huge changes (about 1Mb) I asked help for creating an extensive testsuite. Apache2 http2 testsuite could not be run due to lack of  libprotocol-http2-perl/stretch


Other
=====

A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler.

A special thanks to petn randall for testing apache2 stretch and roberto for crosschecking apache2/jessie

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: