During the month of January 2025 and on behalf of Freexian, I worked on the
following:
python-reportlab
----------------
Uploaded 3.1.8-3+deb8u3 (jessie) and issued ELA-1289-1.
https://www.freexian.com/lts/extended/updates/ela-1289-1-python-reportlab/
* CVE-2019-19450: Code injection in paraparser.py allows code execution
* CVE-2020-28463: Server-side request forgery via <img> tags.
opensc
------
0.23.0-0.3+deb12u2 was accepted into Bookworm (12.9)
python-urllib3
--------------
1.26.12-1+deb12u1 was accepted into Bookworm (12.9)
sqlparse
--------
0.4.2-1+deb12u1 was accepted into Bookworm (12.9)
sssd
----
Uploaded 1.15.0-3+deb9u3 (stretch) and 1.16.3-3.2+deb10u3 (buster) and
issued ELA-1315-1.
https://www.freexian.com/lts/extended/updates/ela-1315-1-sssd/
* CVE-2018-10852: Information leak from the sssd-sudo responder.
* CVE-2018-16838: Improper implementation of GPOs due to too
restrictive permissions.
* CVE-2019-3811: Fallback_homedir returns '/' for empty home
directories in passwd file.
* CVE-2023-3758: Race condition during authorization leads to GPO
policies functioning inconsistently.
(1.16.3-3.2+deb10u3 only contains the fix for CVE-2023-3758 as the
previous version was already immune to the other issues.)
Also, started working on an upload to bullseye-security, but didn't
finalize yet.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature