I've worked during may on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === apache2 ------------ I investigate the port of bullseye proposed by yadd the maintainer, and made some change in order to get apache2 in shape for buster. I forward ported buster testsuite to sid As usual for apache2, testing was done with particular care and cross checked by yadd. I released DLA 3818-1 fixing CVE-2019-17567, CVE-2023-31122, CVE-2023-38709, CVE-2023-45802, CVE-2024-24795, CVE-2024-27316 sendmail ------------- I continue the work to close CVE-2023-51765 I worked along Andreas Beckmann to configure RejectNUL=True. Test was extensive and thus uploaded to sid I proposed Bookworm PU sendmail/8.17.1.9-2+deb12u1 I will backport this fix after a days in testing/sid to buster/stretch, by special advice of security teams (sendmail fixes should be time tested) shim ------- I backport fixes to to buster I created the test suite (autopkgtest) for buster. Note that bug in shim are likely critical due to breaking boot. I released DLA 3813-1 fixing CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551 fossil ------- Apache2 fixes breaks unrelated packages particularly fossil. Indeed the fix of CVE-2024-24795, may break unrelated CGI-BIN scripts. As part of the security fix, the Apache webserver mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client is able to read until end-of-file. I proposed a bookworm fixes I proposed PU to bullseye I backported to buster and released DLA 3819-1 libreoffice --------------- See ELTS ELTS ==== putty ------- I tryied to backport CVE-2021-36367 without success. uwsgi -------- I triaged and determined that apache2 CVE-2024-24795 affected older uwsgi I fixed CVE-2024-24795 and released ELA-1095-1 composer --------------- I fixed CVE-2022-24828 and CVE-2023-43655 I investigated failure of test and fix I released ELA-1096-1 for composer libreoffice --------------- I investigated CVE-2024-3044. I determined this security bug is only a concern for stretch. I backport to buster. I released DLA-3821-1. I port to stretch and released ELA-1097-1 apache2 ------------ I fix autopkgtest I released partial update ELA-1098-1 fixing CVE-2023-31122 CVE-2024-24795 for jessie and ELA-1099-1 fixing CVE-2023-31122 CVE-2023-38709 CVE-2024-24795 for stretch I backported CVE-2023-38709 jessie, that need functionality backport and asked for review. Review identified some minor problems that were fixed (thanks to roberto) I tryied to backport the remaining HTTP2 bug on stretch. But code change was so massive that simple backport was not possible. I thus backport the whole http2 module from 2.4.59 to stretch version, by backporting missing functionnality or API (particularly the StrictHostCheck functionality) Due to huge changes (about 1Mb) I asked help for creating an extensive testsuite. Apache2 http2 testsuite could not be run due to lack of libprotocol-http2-perl/stretch Other ===== A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. A special thanks to petn randall for testing apache2 stretch and roberto for crosschecking apache2/jessie Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
Attachment:
signature.asc
Description: This is a digitally signed message part.