I've worked during February 2025 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! freerdp2 (DLA-4053-1, DLA-4070-1, stable ======================================== The situation for freerdp2 was that there were many CVEs already fixed for buster, but bullseye was lacking behind, so the task was to update freerdp2 in bullseye as well as preparing for an stable-proposed-updates, as none of the CVEs were marked requiring an DSA. (LTS ticket #187) DLA-4053-1 fixed in total 31 CVEs, to many to list here, so please refer to the DLA for details. Unfortunatly DLA 4053-1 caused a regression with drive sharing, #109855, and as while preparing DLA 4053-1 I've missed two CVEs alltogether, so DLA-4070-1 fixed the regression and additionally two more CVEs, CVE-2022-24882 and CVE-2022-39320. The package now has only two remaining CVEs for bullseye, for one, CVE-2022-39317 there is not enough information to identify a upstream patch. (I might have identified a patch, but no response yet on the query made to upstream.) The other, CVE-2021-41159 is marked as "ignored" as the required changeset has been determined as too instrusive to backport. For bookworm, I've proposed updating to a version based on the latest upstream, 2.11.7. For this I've analysed the changed made to assist the stable release team to assess if a new upstream version would be acceptable. Unfortunatly there is no reply yet. DLA-4053-1: https://lists.debian.org/debian-lts-announce/2025/02/msg00016.html DLA-4070-1: https://lists.debian.org/debian-lts-announce/2025/02/msg00034.html s-p-u bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054915 libxml2 (DLA-4064-1, ELA-1327-1), stable ======================================== Same as freerdp2, bullseye had to catch up on fixes made already for older releases, as well some issue to be fixed in ELTS suites as well. Those CVEs have been fixed in LTS and ELTS: CVE-2022-49043 CVE-2023-39615* CVE-2023-45322* CVE-2024-25062* CVE-2024-56171 CVE-2025-24928 CVE-2025-27113 Those marked with '*' have been fixed for bullseye and stretch, the others in all suites. Also here, to get stable into the same state as the LTS and ELTS suites, I've reached out to the stable security team to align how to proceed: libxml2's maintainer will take care about the update in stable. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
Attachment:
signature.asc
Description: PGP signature