During the month of February 2025 and on behalf of Freexian, I worked on the
following:
sssd
----
Uploaded 2.4.1-2+deb11u1 and issued DLA-4047-1.
https://lists.debian.org/msgid-search/?m=Z6iXo73VkKTWnN3A@debian.org
* CVE-2021-3621: Shell command injection.
* CVE-2023-3758: Race condition flaw failing GPO policy application.
Also, prepared 2.8.2-4+deb12u1 for bookworm fixing the later issue and
file spu bug #1095970 to that effect.
libtasn1-6
----------
Uploaded 4.16.0-2+deb11u2 and issued DLA-4061-1.
https://lists.debian.org/msgid-search/?m=Z7hhJYzu44X4c04m@debian.org
* CVE-2024-12133: DoS while parsing a certificate containing
numerous SEQUENCE OF or SET OF elements.
Also, uploaded 4.13-3+deb10u2 (buster), 4.10-1.1+deb9u3 (stretch) and
4.2-3+deb8u6 (jessie), and issued ELA-1336-1 for the aforementioned
vulnerability.
https://www.freexian.com/lts/extended/updates/ela-1336-1-libtasn1-6/
gnutls28
--------
Uploaded 3.7.1-5+deb11u7 and issued DLA-4063-1.
https://lists.debian.org/msgid-search/?m=Z7jiuc7d1bQxVwFz@debian.org
* CVE-2024-12243: Potential DoS while parsing a certificate containing
numerous names or name constraints.
Also, prepared 3.6.7-4+deb10u13 for buster-security. Backporting work
is still ongoing for older suite so the fix is not available for ELTS
and no ELA has been issued yet.
python-urllib3
--------------
Uploaded 1.24.1-1+deb10u3 (buster), 1.19.1-1+deb9u3 (stretch) and
1.9.1-3+deb8u3 (jessie), and issued ELA-1326-1.
https://www.freexian.com/lts/extended/updates/ela-1326-1-python-urllib3/
* CVE-2024-37891: Authorization bypass vulnerability
php-twig
--------
Started backporting work for CVE-2024-51754, -51755 and CVE-2025-24374,
but didn't upload yet. The fix breaks backward compatibility hence
needs to be coordinated with stable.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature