I've worked during may on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

sendmail
-------------

Following previous month fix and in order to avoid regression during upgrade 
from buster to bullseye/bookworm I upload
as proposed update sendmail  8.15.2-22+deb11u3 and 8.17.1.9-2+deb12u2 fixing 
SMTP smuggling.

putty
-------

I reviewed fixes and uploaded  deb11u1~deb10u2 fixing CVE-2024-31497  DLA-3839-1

I proposed to maintainer PU for bullseye and bookworm fixing CVE-2024-31497.

I readd testsuite run during build in order to check regression.

fossil
-------

Apache2 fixes breaks unrelated packages particularly fossil. 
Indeed the fix of CVE-2024-24795, may break unrelated
CGI-BIN scripts. As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field
of the HTTP reply header from the CGI programs back to the client
in cases where the connection is to be closed and the client
is able to read until end-of-file. 

I answered to release teams about PU.

nodejs
----------

I investigated  nvestigate backport of CVE-2024-27982 and CVE-2024-27983
I also investigate bookworm regression that block fixes with maintainer.

pymongo
--------------

I uploaded newer version to unstable fixing CVE-2024-5629
I uploaded PU bookworm 3.11.0-1+deb12u1
I uploaded PU bookworm 3.11.0-1+deb11u1
I relased LTS pymongo 3.7.1-1.1+deb10u1  DLA-3832-1

zookeeper
---------------

I Answer to PU comments and fix according to release team whishes

imagemagick
--------------------

see ELTS

wpa
------

Following buster fixes I updated bullseye 2.9.0-21+deb11u1 and bookworm 
2.10-12+deb12u1

ELTS
====

apache2
------------

I tested my http2 fixes for stretch. Apache2 was uploaded to freexian 
infrastructure. I am waiting to autopkgtest green light,then do an ELA

I fixed CVE-2023-38709/jessie and released  ELA-1106-1

pymongo
--------------

I released  ELA-1111-1 fixing CVE-2024-5629

erlang
---------

I investigated issue 113, and found some possible actions

sendmail
-------------

I backported stretch version to jessie in order to close SMTP smuggling. I am 
waiting cross check


opencryptokit
--------------------

I investigated  CVE-2024-0914 .  Lack of constant time operation render 
backport of fixes extremly hard.
Change of openssl API in newer version, will render full backport hard. A 
collegial risk analysis is on going.

imagemagick
--------------------

I work to close a regression of CVE-2023-34151 and  CVE-2023-1289. I achieved 
to get CVE-2023-1289 closed until stretch
For jessie it seems that CVE-2023-1289 is closed (no coredump) but need more 
investigation.

For regression of CVE-2023-34151. I released a sid version closing this, and 
release by release fix it until jessie.
Testing shown that CVE-2023-34151 seems closed but they exist a leak for older 
version. Work is on going to close the leak.

I fixed other CVEs (except ignored) until jessie.

Thanks to santiago for testing.

Other
=====

I attend montly meeting.

A special thanks to ubuntu security team for cross checking my sendmail work, 
particularly Mark Esler.

A special thanks to santiago for testing.

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to