(E)LTS report for November 2024
LTS:
apr:
- Determined that CVE-2023-49582 (sole unfixed CVE)
does not affect the binary package in bullseye.
ghostscript:
- Determined that CVE-2024-46952 does not affect <= bullseye.
- Released DLA-3965-1, fixing CVE-2024-46951, CVE-2024-46953,
CVE-2024-46955 and CVE-2024-46956.
glib2.0:
- Released DLA-3962-1, fixing CVE-2024-52533.
guix:
- Released DLA-3959-1, fixing CVE-2024-52867.
libarchive:
- Released DLA-3950-1, fixing CVE-2021-36976, CVE-2022-26280,
CVE-2022-36227 and CVE-2024-20696.
python3.9:
- Determined that CVE-2020-27619 was already fixed.
- Released DLA-3980-1, fixing CVE-2015-20107, CVE-2020-10735
CVE-2021-3426, CVE-2021-3733, CVE-2021-3737, CVE-2021-4189,
CVE-2021-28861, CVE-2021-29921, CVE-2022-42919, CVE-2022-45061,
CVE-2023-6597, CVE-2023-24329, CVE-2023-27043, CVE-2023-40217,
CVE-2024-0397, CVE-2024-0450, CVE-2024-4032, CVE-2024-6232,
CVE-2024-6923, CVE-2024-7592, CVE-2024-8088, CVE-2024-9287
and CVE-2024-11168.
- Submitted a package fixing CVE-2023-27043, CVE-2024-6923
CVE-2024-7592, CVE-2024-9287 and CVE-2024-11168 in the next
bookworm point release.
- Due to a binary-all FTBFS of the first upload the DLA was
published in December, but most work was done in November.
rclone:
- Determined that CVE-2024-52522 (sole unfixed CVE)
does not affect <= bullseye.
redis:
- Determined that CVE-2024-31449 does not affect the binary
package in bullseye.
- Released DLA-3973-1, fixing CVE-2022-35977 and CVE-2024-31228.
- Submitted a package fixing CVE-2024-31227, CVE-2024-31228 and
CVE-2024-31449 in the next bookworm point release.
waitress:
- Backported changes to run the upstream test suite at build time.
- Released DLA-3955-1, fixing CVE-2024-49769.
ELTS:
apr:
- Determined that CVE-2023-49582 (sole unfixed CVE)
does not affect the binary package in buster, stretch
or jessie.
ghostscript:
- Determined that CVE-2024-46954 does not affect <= buster.
- Backported the autopkgtest to stretch and jessie.
- Released ELA-1243-1, fixing CVE-2024-46951, CVE-2024-46953,
CVE-2024-46955 and CVE-2024-46956 in buster, stretch
and jessie.
glib2.0:
- Released ELA-1240-1, fixing CVE-2024-52533 in buster, stretch
and jessie.
libarchive:
- Released ELA-1233-1, fixing CVE-2024-20696 in buster, stretch
and jessie.
qtbase-opensource-src:
- Determined that CVE-2023-51714 does not affect jessie.
- Determined that CVE-2024-39936 does not affect stretch or jessie.
- Fixed the build on i386 and armhf in buster,
where the previous DLA was never successfully built.
- Released ELA-1239-1, fixing CVE-2023-34410 in buster, stretch
and jessie, and CVE-2023-24607, CVE-2023-32763, CVE-2023-33285,
CVE-2023-37369 and CVE-2023-38197 in jessie.
redis:
- Determined that CVE-2024-31227 does not affect <= buster.
- Determined that CVE-2024-31449 does not affect jessie.
- Determined that CVE-2024-31449 does not affect the binary
package in buster.
- Backported the autopkgtest to jessie.
- Released ELA-1253-1, fixing CVE-2022-35977, CVE-2023-25155 and
CVE-2024-31228 in buster, stretch and jessie, CVE-2022-36021
in stretch and jessie, and CVE-2024-31449 in stretch.
waitress:
- Released ELA-1236-1, fixing CVE-2024-49769 in buster.
Reply to: