(E)LTS report for June 2024
LTS:
cyrus-imapd:
- Marked CVE-2024-34055 (sole unfixed CVE) as ignored due to being
too intrusive to backport, following upstream and bullseye.
dcmtk:
- Determined that CVE-2024-27628 does not affect <= bullseye
- Released DLA-3847-1, fixing CVE-2021-41687, CVE-2021-41688
CVE-2021-41689, CVE-2021-41690, CVE-2022-2121, CVE-2022-43272,
CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509.
glibc:
- Released DLA-3850-1, fixing CVE-2024-33599, CVE-2024-33600,
CVE-2024-33601 and CVE-2024-33602.
libvpx:
- Released DLA-3830-1, fixing CVE-2024-5197.
- Provided the packages for DSA-5722-1, fixing the CVE also in
for bullseye and bookworm.
nano:
- Released DLA-3831-1, fixing CVE-2024-5742.
- Submitted updates with the CVE fix for bullseye and bookworm,
they were included in the Debian 11.10 and 12.6 point releases.
plasma-workspace:
- Determined that CVE-2024-1433 does not affect <= bullseye,
but does affect plasma-framework.
- Released DLA-3827-1, fixing CVE-2024-36041.
- Provided the packages for DSA-5723-1, fixing the CVE also in
for bullseye and bookworm.
sredird:
- Discussed with the security team that CVE-2004-2386 (sole
unfixed CVE) is considered to refer only to a vulnerability
that was fixed in Debian 20 years ago.
ELTS:
dcmtk:
- Released ELA-1118-1, fixing CVE-2019-1010228, CVE-2021-41687,
CVE-2021-41688, CVE-2021-41689, CVE-2021-41690, CVE-2022-2121,
CVE-2022-43272, CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509
in stretch.
glibc:
- Released ELA-1119-1, fixing CVE-2024-33599, CVE-2024-33600,
CVE-2024-33601 and CVE-2024-33602 in jessie and stretch.
libvpx:
- Determined that CVE-2016-3881 does not affect jessie.
- Released ELA-1112-1, fixing CVE-2024-5197 in jessie and stretch,
and CVE-2016-6711 and CVE-2017-0393 in jessie.
nano:
- Released ELA-1109-1, fixing CVE-2024-5742 in jessie and stretch.
Reply to: