-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS: - - golang-yaml.v2 - buster: - CVE-2021-4235 - CVE-2022-3064 - Add upstream patch with style fixes for CVE-2022-3064 so that we are in line with upstream code if there happens to be another security update. - Verified the i386 test is broken prior to to these patches and the completely unrelated to the code changes and the upload can continue. Ready to upload but out of LTS time - will upload in July after the US holiday. https://salsa.debian.org/lts-team/packages/golang-yaml.v2 - - qt4-x11 - buster: - CVE-2023-34410 - CVE-2023-32573 - CVE-2021-45930 - CVE-2021-3481 Patches and local testing done. https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/buster - CVE-2023-32763 Attempted to backport upstream patch for qt 5.15.15 but the code changes from qt4 -> qt5 has changed too dramatically and the fix uses private overflow functions that do not exist in qt4. I am reaching out to some qt connections I have for help and to see if it is even possible to backport. ELTS: - stretch: - CVE-2023-34410 - CVE-2023-32573 Patches and local testing done. Also affected by - CVE-2023-32763 - see above https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/debian%2Fstretch - jessie: - CVE-2023-34410 - CVE-2023-32573 - CVE-2021-45930 - CVE-2021-3481 Patches and local testing done. https://salsa.debian.org/qt-kde-team/qt/qt4-x11/-/commits/jessie I am awaiting feedback for CVE-2023-32763 before uploading. If anyone here has QT experience and would like to take a look, please don't hesitate to reach out. Misc: Spent some free time familiarizing myself with django and package tracker code. Team monthly meeting Thanks, Scarlett -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfDWSDxziiZ6OqarQLnwDZ7m/oIkFAmSduKUACgkQLnwDZ7m/ oImQoBAAgGDsLRTZLUfiYJ2SaGal5oBko1MSWqEeZ33JiQVN5Lny2FmiyFvbvX5a 8hXNbgLHInp7mzI2t4ijVYJffdy+R+tle62xsbAjxpLqtOlF4OX2m2fnYQFrQ4BZ 0VzCGo/njIKQUiUTWqwC6hrHw7xEk2iQwjoBnsiH7UjTvRVyWzLlgLMY14La8R+u 0xl5j+VmRL/PUJADKjEb9nrtvZctcVrgn3pqxtrl7A9mfqpXDeJIacwHRflToMgw tcN493GNjvI2CfKuVOL55nDFxbtez26o1hIZYhe+rwPCde3HOYj3FHVb/bsUu3ei zxknr8fdWcMDoZJJ8gKOCbagc3qj4YutlsadAjB6aBESNPF0IwqMgCbWqf+372aB jCyVNZd/A8K/q+nuvgPlAIhI4JCowgKdhnx8zgJKrwun144SBOFtNwmKJ+sn8M2P ezP7Q55trFszmYW7Bxcq/NqUqh7rrE6e0LzNUKnZYLqKOEXffK/gYJqWcXoUh+um 2jy2rOqWCxQBz8c2hj/VCfIWfXRKma+42BPpUu6gUQLcUorpCssWoZwthiUC07tP AWtPsXYpzAGUNjQ8S5C5kZ+OE3FLuK6tYSOd5cPSFzK748W7fAAxybkD41HJvQyo ChDV+7I0MfFekQiM3oua8SPTt+OrnpehKnFGSon5AVRIjoeSH1A= =neFh -----END PGP SIGNATURE-----
