I've worked during October on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === ansible ----------- This package is complicated due to splitted between ansible and ansible-core upstream, and massive code path change between oldstable and sid. Best course of action is to take backport from sid then step by step push it to older version. I Triaged remaining CVE. As noted, this is complicated due to package split between ansible and ansible-core I Fix CVE-2024-8775 I Fix autopkgtest due to partial fix of paramiko upstream I Propose a PU to maintainer for bookworm I Fix CVE-2024-9902 for sid et bookworm, backport to bullseye I investigate test failure I Made a partial release DLA 3963-1 waiting upstream fixes for CVE-2024-11079 context ----------- I fix CVE-2023-32668 folluw up (break install) and release DLA-3946-1 mpg123 ------------- I Fix CVE-2024-10573 Fix regression and incomplete patch for CVE-2024-10573. Indeed upstream point to a commit but further testing show that buster could still trigger the vulnerability I Release DLA 3967-1 python --------- I Triage CVE-2024-9287 and found with carnil that virtualenv package is also affected. CVE-2024-53899 was requested. proftpd ----------- Backport CVE-2023-48795 (terrapin attack) Backport Issue from upstream #1830 and ask CVE status. Upstream ask a CVE Release DLA-3975-1 apache2 ------------ Investigate various regression upstream due to recent fix on corner case. ELTS ==== libcpan-reporter-smoker-perl ------------------------------------------- Fix FTBFS with newer perl by backporting fix from newer version. Release ELA-1224-1 texlive-bin --------------- Release ELA-1225-1 fixing CVE-2023-32668 context ----------- Fix CVE-2023-32668 folluw up (break install) on buster. Release ELA-1230-1 perl ------ Release ELA-1226-1 fixing CVE-2020-16156 CVE-2023-31484 ansible ---------- Fix CVE-2024-9902 for buster Fix CVE-2019-14858 for buster Fix CVE-2019-14905 for buster Other fix are likely hard to patch due to code change python2.7 --------------- Review CVE-2024-6923 patches Fix CVE-2024-7592 Fix regression LP2089136 Backport to stretch Backport to jessie python3.7 -------------- Fix CVE-2023-27043, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-9287, CVE-2024-11168 Fix testsuite. Release ELA-1244-1 python3.5 -------------- Backport CVE-2023-27043 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-9287 CVE-2024-11168 Reserve ELA-1262-1 (waiting for test) This backport is harder due to lack of some functionnality like f-string python3.4 --------------- Backport CVE-2023-27043 apache2 ------------ release ELA-1234-1 fixing CVE-2024-38473 Investigate stretch failure mpg123 ----------- Following bullsesye Fix CVE-2024-10573/buster release ELA-1250-1 Fix CVE-2017-9545, CVE-2017-10683, CVE-2017-12797, CVE-2017-12839/stretch release ELA-1251-1 mariadb10.1 ------------------ Upload fixes of CVE-2022-38791. proftpd ----------- Begin to work on stretch backport Other ===== I attend montly meeting. I attend LTS session on Toulouse Mini Debconf. A special thanks to santiago and roberto for testing. Thanks to carnil on triagging front. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
Attachment:
signature.asc
Description: This is a digitally signed message part.