I've worked during mars on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === composer -------------- I triaged #1063603/CVE-2024-24821 and confirmed that this CVE does not affect buster. I backported local path fixes I backported CVE-2023-43655 I finally Release DLA-3777-1 curl ----- I tested the fixes created previous month and I release DLA-3763-1 sendmail ------------- I tested with smtp smurgling attack. I contacted for clarification upstream imagemagick ------------------- I determined CVE-2022-3213 not affected before trixie I determined CVE-2023-2157 not affected before buster I determined CVE-2021-40211 does not affect bullseye (this was complicated due to being reintroduced by an upstream fix of other CVE) I released imagemagick 8:6.9.10.23+dfsg-2.1+deb10u7 thus DLA 3767-1 fixing CVE-2022-48541 putty ------- Due to difficulty to backport terapin fixes, I proposed a backport of bullseye zookeeper ---------------- I fixed CVE-2024-23944/sid I fixed CVE-2024-23944/bullseye Unfortunlatly patches does not apply cleanly to buster/stretch, due to huge code change. I contacted upstream in order to get a testsuite. ELTS ==== wpa ------ I backported fixes for CVE-2023-52160 an authentification bypass. I added salsa CI test and released ELA-1064-1 curl ----- I fixes a previously made patch thanks to a review by roberto. I released ELA-1068-1 sendmail ------------- I backported fix of CVE-2023-51765 to stretch. Test is ok Jessie backport was harder due to an old toolchain (CBFS with extract tarball). zookeeper --------------- I investigate the status of CVE-2024-23944 imagemagick -------------------- Following previous month effort tried to fix the recursive SVG issue. Other work ========= I attempt montly meeting of teams. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
signature.asc
Description: This is a digitally signed message part.
