[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Report for (E)?LTS of November



I've worked during October on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

ansible
-----------

This package is complicated due to splitted between ansible and ansible-core upstream, and massive code
path change between oldstable and sid. Best course of action is to take backport from sid then step by step push
it to older version.

I Triaged remaining CVE. As noted, this is complicated due to package split between ansible and ansible-core
I Fix CVE-2024-8775
I Fix autopkgtest due to partial fix of paramiko upstream
I Propose a PU to maintainer for bookworm
I Fix CVE-2024-9902 for sid et bookworm, backport to bullseye
I investigate test failure
I Made a partial release DLA 3963-1 waiting upstream fixes for  CVE-2024-11079

context
-----------

I fix CVE-2023-32668 folluw up (break install) and release DLA-3946-1

mpg123
-------------

I Fix CVE-2024-10573
Fix regression and incomplete patch for CVE-2024-10573. Indeed upstream point to a commit but further testing show that buster could still trigger the vulnerability
I Release DLA 3967-1

python
---------

I Triage CVE-2024-9287 and found with carnil that virtualenv package is also affected. CVE-2024-53899 was requested.

proftpd
-----------

Backport CVE-2023-48795 (terrapin attack)
Backport Issue from upstream #1830 and ask CVE status. Upstream ask a CVE
Release DLA-3975-1

apache2
------------

Investigate various regression upstream due to recent fix on corner case.

ELTS
====

libcpan-reporter-smoker-perl
-------------------------------------------

Fix FTBFS with newer perl by backporting fix from newer version.
Release ELA-1224-1

texlive-bin
---------------

Release ELA-1225-1 fixing CVE-2023-32668 

context
-----------

Fix CVE-2023-32668 folluw up (break install) on buster. Release ELA-1230-1

perl
------

Release ELA-1226-1 fixing CVE-2020-16156 CVE-2023-31484

ansible
----------

Fix CVE-2024-9902 for buster
Fix CVE-2019-14858 for buster
Fix CVE-2019-14905 for buster

Other fix are likely hard to patch due to code change

python2.7
---------------
 
Review CVE-2024-6923 patches
Fix CVE-2024-7592
Fix regression LP2089136
Backport to stretch
Backport to jessie 

python3.7
--------------

Fix CVE-2023-27043, CVE-2024-6232, CVE-2024-6923, CVE-2024-7592, CVE-2024-9287, CVE-2024-11168
Fix testsuite.
Release ELA-1244-1

python3.5
--------------

Backport CVE-2023-27043 CVE-2024-6232 CVE-2024-6923  CVE-2024-7592 CVE-2024-9287 CVE-2024-11168
Reserve ELA-1262-1 (waiting for test)

This backport is harder due to lack of some functionnality like f-string

python3.4
---------------

Backport CVE-2023-27043

apache2
------------

release ELA-1234-1 fixing CVE-2024-38473
Investigate stretch failure 

mpg123
-----------

Following bullsesye 
Fix CVE-2024-10573/buster release ELA-1250-1
Fix CVE-2017-9545, CVE-2017-10683, CVE-2017-12797, CVE-2017-12839/stretch release ELA-1251-1

mariadb10.1
------------------

Upload fixes of CVE-2022-38791.

proftpd
-----------

Begin to work on stretch backport

Other
=====

I attend montly meeting.

I attend LTS session on Toulouse Mini Debconf.

A special thanks to santiago and roberto for testing.
Thanks to carnil on triagging front.

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.


Reply to: