I've worked during july on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === imagemagick -------------------- Following previous month fix and in order to avoid regression during upgrade from buster to bullseye/bookworm I proposed update fixing CVE-2022-3213 regression,and an incomplete fix for a variation of CVE-2023-1289 found by testing. CVE-2022-3213 was long to fix with more than 10 backport of unrelated commit needed. apache2 ------------ I triaged bugs and investigate regression in 2.4.62 due to security fix. Particularly https://bz.apache.org/bugzilla/show_bug.cgi?id=69203 and https://bz.apache.org/bugzilla/show_bug.cgi?id=69160 php-cas ----------- Fix regression by updating buster −> bullseye (CVE-2022-39369) Fix fusiondirectory broken by update Fix ocsinventory-server broken by update. Investigate further update due to embeded code copy. Test fusion directory. putty ------- Redo work for fixing bullseye/bookworm CVE-2024-31497, thus a potential regression by updating buster -> bullseye Maintainer merged fixes. I have opened PU bugs. ELTS ==== sendmail ------------- Following previous month work I uploaded to stretch, and released ELA-1124-1 fixing CVE-2023-51765 imagemagick -------------------- For buster I released ELA-1133-1 (and regression fix fixing ELA-1133-2) fixing CVE-2023-1289 CVE-2023-34151 for stretch I released ELA-1136-1 fixing CVE-2017-11752 CVE-2017-12566 CVE-2017-18022 CVE-2018-11655 CVE-2022-48541 CVE-2023-1289 CVE-2023-5341 CVE-2023-34151 for jessie I released ELA-1140-1 fixing CVE-2017-11752 CVE-2017-12566 CVE-2017-18022 CVE-2018-11655 CVE-2021-3596 CVE-2022-28463 CVE-2022-48541 CVE-2023-1289 CVE-2023-5341 CVE-2023-34151 I also investigate a potential regression in ruby-rmagick, what was due to improper ABI use by rmagick, and not an ABI breakage in the security fixes. I pushed a fix of ruby-rmagick to git and check if the regression was fixed. As usual with imagemagick, progress is slow due to unrelated breakage due to fixes, that need other backport. Thanks to santiago for testing and cross checking my work. apache2 ------------ I released ELA-1129-1/stretch fixing all remaining HTTP2 security bug CVE-2020-9490 CVE-2020-11993 CVE-2021-33193 CVE-2023-45802 CVE-2024-27316, by backporting the HTTP2 module to stretch version. I prepared the next CVE fixes, but due to identified regression, keep the work on hold. For buster, I found a regression in autopkgtest. I debug this failure due to tmp mount masked. I propose a few solutions, and keep investigating. mariaDB ------------- I triaged remaining CVE and identified commit that fixes security problems. Other ===== I attend montly meeting. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. A special thanks to santiago for testing. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
signature.asc
Description: This is a digitally signed message part.