I've worked during july on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

imagemagick
--------------------

Following previous month fix and in order to avoid regression during upgrade 
from buster to bullseye/bookworm I proposed
update fixing  CVE-2022-3213 regression,and an incomplete fix for a variation 
of CVE-2023-1289 found by testing.

CVE-2022-3213 was long to fix with more than 10 backport of unrelated commit 
needed.

apache2
------------

I triaged bugs and investigate regression in 2.4.62 due to security fix. 
Particularly https://bz.apache.org/bugzilla/show_bug.cgi?id=69203 and
https://bz.apache.org/bugzilla/show_bug.cgi?id=69160

php-cas
-----------

Fix regression by updating buster −> bullseye (CVE-2022-39369)
Fix fusiondirectory broken by update
Fix ocsinventory-server broken by update. Investigate further update due to 
embeded code copy.
Test fusion directory.

putty

-------
Redo work for fixing bullseye/bookworm CVE-2024-31497, thus a potential 
regression by updating buster -> bullseye

Maintainer merged fixes.

I have opened PU bugs.

ELTS
====

sendmail
-------------

Following previous month work I uploaded to stretch, and released ELA-1124-1 
fixing  CVE-2023-51765

imagemagick
--------------------

For buster I released ELA-1133-1 (and regression fix fixing ELA-1133-2) fixing 
CVE-2023-1289 CVE-2023-34151

for stretch I released ELA-1136-1 fixing CVE-2017-11752 CVE-2017-12566 
CVE-2017-18022 CVE-2018-11655 CVE-2022-48541
CVE-2023-1289 CVE-2023-5341 CVE-2023-34151

for jessie I released ELA-1140-1 fixing CVE-2017-11752 CVE-2017-12566 
CVE-2017-18022 CVE-2018-11655 CVE-2021-3596
CVE-2022-28463 CVE-2022-48541 CVE-2023-1289 CVE-2023-5341 CVE-2023-34151

I also investigate a potential regression in  ruby-rmagick, what was due to 
improper ABI use by rmagick, and not an ABI breakage
in the security fixes. I pushed a fix of ruby-rmagick to git and check if the 
regression was fixed.

As usual with imagemagick, progress is slow due to unrelated breakage due to 
fixes, that need other backport.

Thanks to santiago for testing and cross checking my work.

apache2
------------

I released  ELA-1129-1/stretch fixing all remaining HTTP2 security bug
CVE-2020-9490 CVE-2020-11993 CVE-2021-33193 CVE-2023-45802 CVE-2024-27316, by 
backporting the HTTP2 module to stretch version.

I prepared the next CVE fixes, but due to identified regression, keep the work 
on hold. 

For buster, I found a regression in autopkgtest. I debug this failure due to 
tmp mount masked. I propose a few solutions, and keep investigating.

mariaDB
-------------

I triaged remaining CVE and identified commit that fixes security problems.

Other
=====

I attend montly meeting.

A special thanks to ubuntu security team for cross checking my sendmail work, 
particularly Mark Esler.

A special thanks to santiago for testing.

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to