I've worked during September 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! firmware-nonfree (ELA-1179-1) ============================= (As already announced in August), at that time still WIP, the upload updated several firmware files in relation to Intel Bluetooth and WiFi solutions. fixed several CVES in Intelthe actual upload happened early September, fixing in ELA-1179-1: CVE-2023-35061 - potential information disclosure via adjacent access CVE-2023-38417 - potential denial of service via adjacent access CVE-2023-47210 - potential denial of service via adjacent access zabbix (DLA-3909-1, ELA-1193-1) =============================== ELTS/LTS: Some of the CVEs have been triaged and found not to be affecting the versions in LTS and ELTS. LTS: (The CVEs are to many to list here, please refer to the announcemnts for details.) zabbix/bullseye had a lot of open CVEs. Luckily, I've found that bullseye's version 5(.0.8) zabbix is still a supported upstream LTS version. Thus I've opened the discussion whether it would be sensible to update to the latest upstream LTS version (5.0.44) instead of hunting down the required patches and then backporting the patches individually. This saves a lots of potential for regressions. Upstream does usually not link their (CVE) tickets to fixing commits, making it quite time consuming to hunt down required fixes. The downside is as zabbix's life cycle and release policy [3] is divided into two phases and in the first also general bug fixes are permissible, which is usually outside outside of the Debian LTS scope and needed to be evaluated as well. Said that, upstream lists significant changes in their upgrade notes and their verbose release notes, which helped a lot in the assessement. The assessment boiled down a few changes that needed investiagion, but many of the changes involved the new (Go based) Agent2, which we do not have packaged in bullseye and some minor, possibly backward incompatible changes in rare situations have been added to the DLA text. After importing the 5.0.44, there were a few remaining CVEs which needed regular backports of fixes. ELTS: (CVE-2024-22114, CVE-2024-22116, CVE-2024-22122, CVE-2024-22123) For ELTS several CVEs had to be backported and tested. To track down the fixes, I've developed a strategy to identify the patchs: For this, the upstream git repository has shown to be very helpful: While upstream does not publish the commits needed to fix the CVEs, they usually have the ticket number used to track the CVE in the upstream changelog. Often, the wording of the changelog entry gives additional hints, which can be correlated to the git commit logs. This commit logs are commonly associated to a DEV-xxxx annotation. All commits with that annotation in the commit message are usually the patches to look for. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors [3] https://www.zabbix.com/life_cycle_and_release_policy Cheers, -- tobi (Resent as it seems the first attempt didn't go through)
Attachment:
signature.asc
Description: PGP signature