I've worked during may on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === sendmail ------------- Following previous month fix and in order to avoid regression during upgrade from buster to bullseye/bookworm I upload as proposed update sendmail 8.15.2-22+deb11u3 and 8.17.1.9-2+deb12u2 fixing SMTP smuggling. putty ------- I reviewed fixes and uploaded deb11u1~deb10u2 fixing CVE-2024-31497 DLA-3839-1 I proposed to maintainer PU for bullseye and bookworm fixing CVE-2024-31497. I readd testsuite run during build in order to check regression. fossil ------- Apache2 fixes breaks unrelated packages particularly fossil. Indeed the fix of CVE-2024-24795, may break unrelated CGI-BIN scripts. As part of the security fix, the Apache webserver mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client is able to read until end-of-file. I answered to release teams about PU. nodejs ---------- I investigated nvestigate backport of CVE-2024-27982 and CVE-2024-27983 I also investigate bookworm regression that block fixes with maintainer. pymongo -------------- I uploaded newer version to unstable fixing CVE-2024-5629 I uploaded PU bookworm 3.11.0-1+deb12u1 I uploaded PU bookworm 3.11.0-1+deb11u1 I relased LTS pymongo 3.7.1-1.1+deb10u1 DLA-3832-1 zookeeper --------------- I Answer to PU comments and fix according to release team whishes imagemagick -------------------- see ELTS wpa ------ Following buster fixes I updated bullseye 2.9.0-21+deb11u1 and bookworm 2.10-12+deb12u1 ELTS ==== apache2 ------------ I tested my http2 fixes for stretch. Apache2 was uploaded to freexian infrastructure. I am waiting to autopkgtest green light,then do an ELA I fixed CVE-2023-38709/jessie and released ELA-1106-1 pymongo -------------- I released ELA-1111-1 fixing CVE-2024-5629 erlang --------- I investigated issue 113, and found some possible actions sendmail ------------- I backported stretch version to jessie in order to close SMTP smuggling. I am waiting cross check opencryptokit -------------------- I investigated CVE-2024-0914 . Lack of constant time operation render backport of fixes extremly hard. Change of openssl API in newer version, will render full backport hard. A collegial risk analysis is on going. imagemagick -------------------- I work to close a regression of CVE-2023-34151 and CVE-2023-1289. I achieved to get CVE-2023-1289 closed until stretch For jessie it seems that CVE-2023-1289 is closed (no coredump) but need more investigation. For regression of CVE-2023-34151. I released a sid version closing this, and release by release fix it until jessie. Testing shown that CVE-2023-34151 seems closed but they exist a leak for older version. Work is on going to close the leak. I fixed other CVEs (except ignored) until jessie. Thanks to santiago for testing. Other ===== I attend montly meeting. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. A special thanks to santiago for testing. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
signature.asc
Description: This is a digitally signed message part.
