Report for (E)?LTS of September

Mon, 30 Sep 2024 13:04:58 -0700 

I've worked during September on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS
===

Cacti
-------

I backported bookworm fixes
I fix autopkgtest suite
I Investigate status of CVE-2024-27082
I Fix CVE-2022-41444 CVE-2024-25641 CVE-2024-31443 CVE-2024-31444
       CVE-2024-31445 CVE-2024-31458 CVE-2024-31459 CVE-2024-31460
       CVE-2024-34340
I Released DLA 3884-1

DOM Purify
-----------------

During previous work on cacti,I reviewed dompurify a js component used for 
protecting against XSS.
This piece of sofware was vulnerable and I filled a few security issue found by 
commit review.

NodeJS
----------

I Fix CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809 
                 CVE-2024-22019 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983
I triaged a few bug that does not apply to bullseye. I cross checked by code 
review and trying exploit.
I upload and release DLA-3886-1

pymongo
-------------

I release DLA-3889-1 fixing CVE-2024-5629.

libreoffice
----------------

I backported fix of CVE-2024-7788.

Unfortunatly I was hit by a FTBFS that is present in current version.
I am debugging it.

As usual progress is slow due to huge build time for this package.

Apache2
------------

I contacted a few times upstream about regression handling.
I Triaged another regression issue due to recent fix.
I made a partial fix of regressions and waiting release for 
unstable/bookworm/bullseye.

ELTS
====

apache2
------------

I fix CVE-2024-38474/CVE-2024-38475 for buster release ELA-1182-1
and  ELA-1182-2 for stretch/jessie

Note that this fixes include regression fixes found in apache trunk.

mariadb
------------

I have made a new batch of fix for mariadb-10.1 fixing CVE-2021-46659, 
CVE-2022-21427,  CVE-2022-24048, CVE-2022-24050, CVE-2022-24051, 
CVE-2022-24052, CVE-2022-27380, CVE-2022-27383, CVE-2022-27384,  
CVE-2022-27387, CVE-2022-27448, CVE-2022-31622 and CVE-2022-32083

I am preparing a third batch of fix

I have backported fix CVE-2024-21096 for mariadb-10.3 and waiting for review.

Nodejs
-----------

I have triaged remaining CVE, but testing POC and code review.
nodejs for ELTS is not affected by triaged CVEs, thus an ELA was not needed

Libreoffice
---------------

I backported CVE-2024-6472 and release ELA-1181-1.

Other
=====

I attend montly meeting.

A special thanks to santiago and roberto for testing.

Cheers

rouca

[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to