Hello, November was my seventeenth month working on LTS and ELTS. Thank you to Freexian and Freexian's sponsors for making these projects possible: <https://www.freexian.com/lts/debian/#sponsors> LTS - openssl - Released DLA-3042-2, an update to my DLA at the end of last month. I used the wrong version number for my first DLA such that the update would not actually get installed. - I received a comment[0] on Raspbian's import of my upload for openssl to bullseye-security last month. I checked out the issue and confirmed that no regression update was required. I was surprised but very pleased that someone had reviewed my work like this. It reminded me how working on Debian, LTS and more generally, has an impact on a lot of downstreams. It also seemed notable to me how GitHub knew to e-mail me about it because my name was on the upload, although, this was Raspbian's own import of the upload .dsc, not the git branch I pushed to salsa. [0] https://github.com/raspbian-packages/openssl/commit/7978b974acd549045e794ab88a742b530d41ab50#r149117994 - python-workzeug - Started work on an update for three CVEs. I hope to be able to fix these across jessie, stretch, buster, bullseye and bookworm. - Correspondence. ELTS - openssl & openssl1.0 - Released ELA-1256-1, ELA-1257-1 and ELA-1258-1 addressing CVE-2023-5678, CVE-2024-0727, CVE-2024-2511, CVE-2024-4741, CVE-2024-5535 and CVE-2024-9143 in src:openssl. - Uploaded corresponding updates for src:openssl1.0 to stretch-staging; still waiting for builds and autopkgtests at time of writing. - Marked CVE-2024-5535 as ignored for jessie and stretch. The reason for this was that backporting the tests for the fix would have taken a lot of time, and the vulnerability is of comparatively low severity. By contrast, I fixed the vulnerability in buster because backporting the tests was straightforward. Working on LTS/ELTS has taught me more about how to work with trade-offs like this. - Marked CVE-2024-9143 as ignored for jessie, for similar reasons. - Rewrote the tests for the fix for CVE-2024-0727 so that they could run under the older testing infrastructure with OpenSSL 1.0.x. I identified that in this particular case, rewriting the tests would not take much time: the tests pass just when certain openssl(1ssl) commands exit zero. -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature