Hello,
This is my September 2024 monthly report for the Freexian LTS/ELTS [1]
initiative.
Many thanks to Freexian and sponsors [2] for providing this opportunity!
LTS:
====
I worked on the nss package for Debian Bullseye, with the following highlights:
* briefly evaluated CVE-2023-5388, but then decided to work on autopkgtest first
before working on this one
* enabled basic autopkgtest support
** I also spent some time trying to run the upstream test suite from
autopkgtest, but it is difficult. I sent an email upstream seeking advice [3]
but no reply so far.
* added patch for CVE-2024-0743
* added patch for CVE-2024-6602
* evaluated CVE-2024-7531, but I couldn’t find a clear patch
* evaluated CVE-2024-6609.
** Initially I misunderstood the code and thought the package was not affected,
but I was corrected by Salvatore. Later, I contacted upstream [4] to see if they
could help me find a patch.
ELTS:
====
Similarly, I also worked on the nss package for Debian Buster/Stretch/Jessie.
*enabled basic autopkgtest support for all versions
* added patch for CVE-2024-6602.
** Note that for Stretch and Jessie, I had to mangle the patch, and an
additional review would be good to have
For both LTS and ELTS work, the package has not been uploaded yet, but the
changes are visible in the git repository [5].
regards.
[1] https://www.freexian.com/lts/
[2] https://www.freexian.com/lts/debian/#sponsors
[3]
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/XxyFdte0-uU/m/i3H9zyLAAQAJ
[4]
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/t9JmsYkujWM/m/HjKuk-ngBAAJ
[5] https://salsa.debian.org/lts-team/packages/nss
