Debian LTS & ELTS -- January 2025

To: debian-lts@lists.debian.org
Subject: Debian LTS & ELTS -- January 2025
From: Sean Whitton <spwhitton@spwhitton.name>
Date: Wed, 29 Jan 2025 20:55:53 +0000
Message-id: <[🔎] 87msf9fig6.fsf@zephyr.silentflame.com>

Hello,

December was my nineteenth month working on LTS and ELTS.  Thank you to
Freexian and Freexian's sponsors for making these projects possible:
    <https://www.freexian.com/lts/debian/#sponsors>

LTS

- jinja2

  - Fixed CVE-2024-56201 and CVE-2024-56326 in Debian testing and Debian
    unstable by uploading a new upstream release.  Doing this required
    some other packaging updates due to other changes upstream.

    I switched to other packages for LTS while waiting for ci.debian.net
    testing results, and so I have not fixed stable or oldstable.  This
    update to sid had to happen first, though, so I've unblocked the LTS
    work, whether or not it's me who will eventually do it.

    There isn't much crossover between updating to the new upstream
    version and backporting the fixes, so this wasn't inefficient.

- git

  - Released DLA-4031-1 addressing CVE-2024-50349 and CVE-2024-52006.

- vim

  - Submitted a proposed update for Debian bookworm addressing
    CVE-2023-2610, CVE-2023-4738, CVE-2023-4752, CVE-2023-4781,
    CVE-2023-5344, CVE-2024-22667, CVE-2024-43802 and CVE-2024-47814.

  - Started preparing an update to address (deep breath)
    CVE-2021-3872, CVE-2021-4019, CVE-2021-4173, CVE-2021-4187,
    CVE-2022-0261, CVE-2022-0351, CVE-2022-0359, CVE-2022-0361,
    CVE-2022-0392, CVE-2022-0417, CVE-2022-0572, CVE-2022-1616,
    CVE-2022-1785, CVE-2022-1897, CVE-2022-1942, CVE-2022-2000,
    CVE-2022-2129, CVE-2022-2304, CVE-2022-3099, CVE-2022-3134,
    CVE-2022-3324, CVE-2022-4141, CVE-2023-0054, CVE-2023-1175,
    CVE-2023-2610, CVE-2023-4738, CVE-2023-4752, CVE-2023-4781,
    CVE-2023-5344, CVE-2024-22667, CVE-2024-43802 and CVE-2024-47814.

    These are all problems due to the unsafe nature of the C programming
    language.  I've backported upstream's fixes for the first 29 CVEs,
    and am now working on getting the tests to pass.  Then I'll backport
    fixes for the remaining four CVEs.

  - Determined that CVE-2023-2426 does not affect bullseye.

    To be confident in this conclusion I had to both run the
    proof-of-concept exploit provided by the pseudoanonymous individual
    who discovered the vulnerability, and study the code.

- Correspondence.

ELTS

- git

  - Released ELA-1307-1 addressing CVE-2024-50349 and CVE-2024-52006.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: Bug#1073508: Bug#1074338: Bug#1073508: Bug#1074338: src:libxml2: fails to migrate to testing for too long: unresolved RC issue
Next by Date: Bug#1094762: async-http-client: Please package latest upstream release(s): 2.12.4 (and 3.0.1)
Previous by thread: Re: Bug#1073508: Bug#1074338: Bug#1073508: Bug#1074338: src:libxml2: fails to migrate to testing for too long: unresolved RC issue
Next by thread: Bug#1094762: async-http-client: Please package latest upstream release(s): 2.12.4 (and 3.0.1)
Index(es):
- Date
- Thread