I've worked during January 2025 on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity! busybox (DLA-4019-1 ELA-1311-1) =============================== This month I worked on busybox for LTS and ELTS, fixing 12-14 CVEs per releases, please refer to the announcements for details. As busybox is a high profile package, significant efforts went into triaging the vulnerabitlities against the versions in our release, and git-bisecting the issues to narrow down when the vulnerabilities have been introduced, summarized for the example of the bullseye upload: https://lists.debian.org/debian-lts/2025/01/msg00013.html As result some of the CVEs have been marked "postponed" (as no upstream or upstream confirmed patch is available) or "ignored" (as a backport would require significant rewritting and therefore too high risk to introduce regressions, while the vulnerability was not triggerable with an PoC available on the upstream bugtracker) [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi
signature.asc
Description: PGP signature
