LTS:

cyrus-imapd:
- Marked CVE-2024-34055 (sole unfixed CVE) as ignored due to being
  too intrusive to backport, following upstream and bullseye.

dcmtk:
- Determined that CVE-2024-27628 does not affect <= bullseye
- Released DLA-3847-1, fixing CVE-2021-41687, CVE-2021-41688
  CVE-2021-41689, CVE-2021-41690, CVE-2022-2121, CVE-2022-43272,
  CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509.

glibc:
- Released DLA-3850-1, fixing CVE-2024-33599, CVE-2024-33600,
  CVE-2024-33601 and CVE-2024-33602.

libvpx:
- Released DLA-3830-1, fixing CVE-2024-5197.
- Provided the packages for DSA-5722-1, fixing the CVE also in
  for bullseye and bookworm.

nano:
- Released DLA-3831-1, fixing CVE-2024-5742.
- Submitted updates with the CVE fix for bullseye and bookworm,
  they were included in the Debian 11.10 and 12.6 point releases.

plasma-workspace:
- Determined that CVE-2024-1433 does not affect <= bullseye,
  but does affect plasma-framework.
- Released DLA-3827-1, fixing CVE-2024-36041.
- Provided the packages for DSA-5723-1, fixing the CVE also in
  for bullseye and bookworm.

sredird:
- Discussed with the security team that CVE-2004-2386 (sole
  unfixed CVE) is considered to refer only to a vulnerability
  that was fixed in Debian 20 years ago.


ELTS:

dcmtk:
- Released ELA-1118-1, fixing CVE-2019-1010228, CVE-2021-41687,
  CVE-2021-41688, CVE-2021-41689, CVE-2021-41690, CVE-2022-2121,
  CVE-2022-43272, CVE-2024-28130, CVE-2024-34508 and CVE-2024-34509
  in stretch.

glibc:
- Released ELA-1119-1, fixing CVE-2024-33599, CVE-2024-33600,
  CVE-2024-33601 and CVE-2024-33602 in jessie and stretch.

libvpx:
- Determined that CVE-2016-3881 does not affect jessie.
- Released ELA-1112-1, fixing CVE-2024-5197 in jessie and stretch,
  and CVE-2016-6711 and CVE-2017-0393 in jessie.

nano:
- Released ELA-1109-1, fixing CVE-2024-5742 in jessie and stretch.

Reply via email to