I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS: ==== zabbix - DLA-3538-1 (see advisory for details.) A noteworthy change is for CVE-2013-7484, which changes the way the password is saved in the database to a more secure way. This requirea an update in the database scheme, and a "Debian" specific db version identifator, unused by upstream, to be employed, so that later database updates won't be affected. Passwords will be re-hashed when users login. The upgrade path to bullseye and bookworm is not affected, as those packgages employ already the database change and the db update is idempotent. Beside that, the package provided significant effort in backporting the upstream patches, as the code has been refactored quite a bit since the version 4.0.4 in Debian buster and upstream is not always clear on which commit fixes what. In hindsight, as there are later 4.0.x upstream releases, it probably would have made sense to check if updating to the latest 4.0.x is possible/ feasilbe for a LTS release and then tackle the remaining problems not addressed. ELTS: ==== symfony - ELA-912-1 - finshing work on symfony. tackling CVE-2018-14774 CVE-2021-21424 CVE-2022-24894 CVE-2022-24895. Please see the ELA for details. opendkim - triaging creating the LTS git repository and anylzing CVE-2022-48521, but as there is no upstream patch and developing one will require significant time, I've shelfed the package again to continue the work work on zabbix/ELTS first. zabbix - Work in Progress stretch package is almost ready; some more testing is required. A noteworthy change will be for CVE-2013-7484, which changes the way the password is saved in the database to a more secure way. This requirea an update in the database scheme, and a "Debian" specific db version identifator, unused by upstream, to be employed, so that later database updates won't be affected. Passwords will be re-hashed when users login. Like with the LTS package, the challenge on zabbix was the codebase changed a lot, which requires that upstream patches needs to be backported and also checks be done if other code paths are affected by the same problems. I'm planning to tackle zabbix for Jessie in September. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
signature.asc
Description: PGP signature
