LTS: cyrus-imapd: - Marked CVE-2024-34055 (sole unfixed CVE) as ignored due to being too intrusive to backport, following upstream and bullseye.
dcmtk: - Determined that CVE-2024-27628 does not affect <= bullseye - Released DLA-3847-1, fixing CVE-2021-41687, CVE-2021-41688 CVE-2021-41689, CVE-2021-41690, CVE-2022-2121, CVE-2022-43272, CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509. glibc: - Released DLA-3850-1, fixing CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602. libvpx: - Released DLA-3830-1, fixing CVE-2024-5197. - Provided the packages for DSA-5722-1, fixing the CVE also in for bullseye and bookworm. nano: - Released DLA-3831-1, fixing CVE-2024-5742. - Submitted updates with the CVE fix for bullseye and bookworm, they were included in the Debian 11.10 and 12.6 point releases. plasma-workspace: - Determined that CVE-2024-1433 does not affect <= bullseye, but does affect plasma-framework. - Released DLA-3827-1, fixing CVE-2024-36041. - Provided the packages for DSA-5723-1, fixing the CVE also in for bullseye and bookworm. sredird: - Discussed with the security team that CVE-2004-2386 (sole unfixed CVE) is considered to refer only to a vulnerability that was fixed in Debian 20 years ago. ELTS: dcmtk: - Released ELA-1118-1, fixing CVE-2019-1010228, CVE-2021-41687, CVE-2021-41688, CVE-2021-41689, CVE-2021-41690, CVE-2022-2121, CVE-2022-43272, CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509 in stretch. glibc: - Released ELA-1119-1, fixing CVE-2024-33599, CVE-2024-33600, CVE-2024-33601 and CVE-2024-33602 in jessie and stretch. libvpx: - Determined that CVE-2016-3881 does not affect jessie. - Released ELA-1112-1, fixing CVE-2024-5197 in jessie and stretch, and CVE-2016-6711 and CVE-2017-0393 in jessie. nano: - Released ELA-1109-1, fixing CVE-2024-5742 in jessie and stretch.
