Hello,
This was my twelth month working on LTS and ELTS. Thank you to
Freexian and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- git
- Released DLA-3844-1 fixing CVE-2023-25652, CVE-2023-25815,
CVE-2023-29007, CVE-2024-32002, CVE-2024-32004, CVE-2024-32021 and
CVE-2024-32465, and including a follow-up fix for CVE-2019-1387.
We did not include upstream's fix for CVE-2024-32020 because it was
decided to be inappropriate in a context of long term support.
For simple git hosting using 'git init --bare --shared', the fix
broke pulling and pushing by a different UID, unless the local
administrator deployed relatively fiddly server-side configuration
changes.
I was pleased to have identified this issue -- after doing so, I
found that upstream's fix had already been released elsewhere in the
free software ecosystem, and that there had been regression reports.
Upstream's fix for CVE-2024-32004 relied on the same change, but
fortunately the fix for CVE-2024-32465 also fixed CVE-2024-32004.
- org-mode
- Released DLA-3848-1 fixing CVE-2024-39331.
- emacs
- Released DLA-3849-1 fixing CVE-2024-39331.
ELTS
- git
- Marked CVE-2024-32004 and CVE-2024-32465 as inapplicable to ELTS.
Determining that these were not applicable depended on the details
of upstream's fixes, and the text of the CVEs were not too helpful.
So it was good to be able to do this relatively quickly thanks to
having already worked on the fixes for these CVEs under LTS.
- Started preparing an upload to fix CVE-2023-25652, CVE-2023-25815,
CVE-2023-29007, CVE-2024-32002 and CVE-2024-32021.
- emacs24
- Started preparing an ELA to fix CVE-2024-39331.
- emacs25
- Started preparing an ELA to fix CVE-2024-39331.
--
Sean Whitton
signature.asc
Description: PGP signature
