Hello,
December was my eighteenth month working on LTS and ELTS. Thank you to
Freexian and Freexian's sponsors for making these projects possible:
<https://www.freexian.com/lts/debian/#sponsors>
LTS
- python-werkzeug
- Fixed CVE-2023-46136, CVE-2024-34069 and CVE-2024-49767 in bookworm
for the next point release.
- I determined that only one of the three CVEs applied to LTS, and
decided that it should be postponed to the next batch of updates.
Therefore, I did not issue any DLA.
- xen
- Helped unblock the contributors updating Xen to a newer supported
release by sponsoring two uploads to the experimental binNEW queue.
This is part of a new initiative to help ensure that versions of
packages with better levels of upstream support end up in Debian
stable releases, making LTS work smoother, and in some cases, making
supporting the package in LTS possible at all.
- libsoup2.4
- Proposed a bookworm stable update to fix CVE-2024-52530,
CVE-2024-52531 and CVE-2024-52532
- Released DLA-3992-1 fixing CVE-2024-52530, CVE-2024-52531 and
CVE-2024-52532 in bullseye.
- Correspondence, minor triage.
ELTS
- python-werkzeug
- I determined that only one of the three CVEs applied to ELTS, and
decided that it should be postponed to the next batch of updates.
Therefore, I did not issue any ELA.
- openssl1.0
- Released ELA-1264-1 fixing CVE-2023-5678 and CVE-2024-0727 in
stretch.
- ntp
- Released ELA-1270-1 fixing CVE-2020-11868, CVE-2020-15025 and
CVE-2023-26555 in buster.
We didn't have anything imported to LTS git repositories, and not
all of the links to upstream's fixes would load, as it would seem
their bitkeeper server is only partially functioning.
I found some fixes had been uploaded to jessie and wheezy, and a
Debian git history somewhere else on salsa.
There was a helpful discussion thread on GitHub, and some files
uploaded to Google Docs(?!).
The difficulty here was that I needed to forward-port the patch from
jessie and wheezy, when we usually prefer to backport. In addition,
the patch was different from the one from upstream that I was able
to acquire. Fortunately, putting together all the information I
had together allowed me to infer that forward-porting was correct.
I enjoyed the detective work, though it is good to know that
improvements in our VCS practices and in upstream VCS practices
will make this sort of thing less and less necessary.
- libsoup2.4
- Released ELA-1272-1 fixing CVE-2024-52530, CVE-2024-52531 and
CVE-2024-52532 in buster, stretch and jessie.
- For jessie and stretch I first had to address the fact that the
packages already failed to build, before I made any changes.
--
Sean Whitton
signature.asc
Description: PGP signature
