Report for (E)?LTS of September

To: debian-lts@lists.debian.org, debian-lts@lists.debian.org, debian-lts@lists.debian.org, debian-lts@lists.debian.org
Subject: Report for (E)?LTS of September
From: Bastien Roucariès <rouca@debian.org>
Date: Mon, 30 Sep 2024 19:49:06 +0000
Message-id: <[🔎] 2297674.pD9UHgfzsH@portable-bastien>

I've worked during September on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

Cacti
-------

I backported bookworm fixes
I fix autopkgtest suite
I Investigate status of CVE-2024-27082
I Fix CVE-2022-41444 CVE-2024-25641 CVE-2024-31443 CVE-2024-31444
CVE-2024-31445 CVE-2024-31458 CVE-2024-31459 CVE-2024-31460
CVE-2024-34340
I Released DLA 3884-1

DOM Purify
-----------------

During previous work on cacti,I reviewed dompurify a js component used for protecting against XSS.
This piece of sofware was vulnerable and I filled a few security issue found by commit review.

NodeJS
----------

I Fix CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809
CVE-2024-22019 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983
I triaged a few bug that does not apply to bullseye. I cross checked by code review and trying exploit.
I upload and release DLA-3886-1

pymongo
-------------

I release DLA-3889-1 fixing CVE-2024-5629.

libreoffice
----------------

I backported fix of CVE-2024-7788.

Unfortunatly I was hit by a FTBFS that is present in current version.
I am debugging it.

As usual progress is slow due to huge build time for this package.

Apache2
------------

I contacted a few times upstream about regression handling.
I Triaged another regression issue due to recent fix.
I made a partial fix of regressions and waiting release for unstable/bookworm/bullseye.

ELTS
====

apache2
------------

I fix CVE-2024-38474/CVE-2024-38475 for buster release ELA-1182-1
and ELA-1182-2 for stretch/jessie

Note that this fixes include regression fixes found in apache trunk.

mariadb
------------

I have made a new batch of fix for mariadb-10.1 fixing CVE-2021-46659, CVE-2022-21427, CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, CVE-2022-24052, CVE-2022-27380, CVE-2022-27383, CVE-2022-27384, CVE-2022-27387, CVE-2022-27448, CVE-2022-31622 and CVE-2022-32083

I am preparing a third batch of fix

I have backported fix CVE-2024-21096 for mariadb-10.3 and waiting for review.

Nodejs
-----------

I have triaged remaining CVE, but testing POC and code review.
nodejs for ELTS is not affected by triaged CVEs, thus an ELA was not needed

Libreoffice
---------------

I backported CVE-2024-6472 and release ELA-1181-1.

Other
=====

I attend montly meeting.

A special thanks to santiago and roberto for testing.

Cheers

rouca

[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Re: Mirroring the ELTS repository with rsync
Previous by thread: Libreoffice failure
Index(es):
- Date
- Thread