Hello everyone, Here’s my monthly report for the work I’ve done for Debian LTS and ELTS in January 2025.
Thanks to Freexian and sponsors for making this possible: https://www.freexian.com/lts/debian/#sponsors LTS === 389-ds-base In December, I worked on an update for this package, but since CVEs I was going to fix were still not fixed in stable, in January I worked on an update for it in stable as well. Ultimately, I have uploaded fixes for 4 CVEs into proposed-updates: CVE-2024-2199, CVE-2024-8445, CVE-2024-5953, CVE-2024-3657. After that, I have uploaded the previously prepared update for bullseye fixing all CVEs but CVE-2024-6237, CVE-2022-1949, CVE-2023-1055 and CVE-2016-5416, as I described in my December’s update. git-lfs A fairly simple update for CVE-2024-53263 went into bookworm and bullseye. ELTS ==== libgit2 I have backported a bunch of security fixes for libgit2 to jessie: CVE-2016-10128, CVE-2016-10129, CVE-2016-8568, CVE-2016-8569, CVE-2018-10887, CVE-2018-10888, CVE-2018-8099, CVE-2020-12278, CVE-2020-12279, CVE-2024-24577. CVE-2023-22742 was a bit too complicated for me to backport, so I marked it as postponed, and I may return to it in future. CVE-2018-8098 was also not actionable since the code in question was not present in the version jessie shipped. -- Cheers, Andrej
