[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS & ELTS -- November 2024

Hello,

November was my seventeenth month working on LTS and ELTS.  Thank you to
Freexian and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- openssl

  - Released DLA-3042-2, an update to my DLA at the end of last month.
    I used the wrong version number for my first DLA such that the
    update would not actually get installed.

  - I received a comment[0] on Raspbian's import of my upload for
    openssl to bullseye-security last month.  I checked out the issue
    and confirmed that no regression update was required.

    I was surprised but very pleased that someone had reviewed my work
    like this.  It reminded me how working on Debian, LTS and more
    generally, has an impact on a lot of downstreams.

    It also seemed notable to me how GitHub knew to e-mail me about it
    because my name was on the upload, although, this was Raspbian's own
    import of the upload .dsc, not the git branch I pushed to salsa.

    [0]  https://github.com/raspbian-packages/openssl/commit/7978b974acd549045e794ab88a742b530d41ab50#r149117994

- python-workzeug

  - Started work on an update for three CVEs.  I hope to be able to fix
    these across jessie, stretch, buster, bullseye and bookworm.

- Correspondence.

ELTS

- openssl & openssl1.0

  - Released ELA-1256-1, ELA-1257-1 and ELA-1258-1 addressing
    CVE-2023-5678, CVE-2024-0727, CVE-2024-2511, CVE-2024-4741,
    CVE-2024-5535 and CVE-2024-9143 in src:openssl.

  - Uploaded corresponding updates for src:openssl1.0 to
    stretch-staging; still waiting for builds and autopkgtests at time
    of writing.

  - Marked CVE-2024-5535 as ignored for jessie and stretch.

    The reason for this was that backporting the tests for the fix would
    have taken a lot of time, and the vulnerability is of comparatively
    low severity.  By contrast, I fixed the vulnerability in buster
    because backporting the tests was straightforward.
    Working on LTS/ELTS has taught me more about how to work with
    trade-offs like this.

  - Marked CVE-2024-9143 as ignored for jessie, for similar reasons.

  - Rewrote the tests for the fix for CVE-2024-0727 so that they could
    run under the older testing infrastructure with OpenSSL 1.0.x.

    I identified that in this particular case, rewriting the tests would
    not take much time: the tests pass just when certain openssl(1ssl)
    commands exit zero.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to: