Debian LTS and ELTS report: December 2024
Hello everyone,
Here’s my monthly report for the work I’ve done for Debian LTS
and ELTS in December 2024.
Thanks to Freexian and sponsors for making this possible:
https://www.freexian.com/lts/debian/#sponsors
LTS
===
389-ds-base
I have prepared an update for this package fixing a bunch of CVEs,
but it hasn’t yet been uploaded pending a review and some co-ordination
with the Debian maintainer of the package.
Most of the fixes were straightforward cherry-picks, but a few I had
to skip as they brought in too much code as dependency, or had massive
merge conflicts:
* CVE-2024-6237: code dependencies too big for me personally to review,
and risk potential regressions elsewhere. Removing them has its own
risk as the upstream code hasn’t been tested in such configuration
at all.
* CVE-2022-1949: similarly as above
* CVE-2023-1055: merge conflicts in JSX code, I don’t have sufficient
skills to review that, unfortunately.
ELTS
====
I haven’t done anything for ELTS yet, but I still plan porting fixes for
CVEs from my previous LTS updates to Buster as well.
--
Cheers,
Andrej
Reply to: