(E)LTS report for May 2024
LTS: glibc: - Released DLA-3807-1, fixing CVE-2024-2961. - Fixed and enabled the build tests and autopkgtest. gst-plugins-base1.0: - Released DLA-3824-1, fixing CVE-2024-4453. libkf5ksieve: - Released DLA-3809-1, fixing CVE-2023-52723. ELTS: glibc: - Released ELA-1087-11, fixing CVE-2024-2961 in jessie and stretch. - Fixed and enabled the build tests and autopkgtest in stretch. gst-plugins-base1.0: - Released ELA-1102-1, fixing CVE-2024-4453 in jessie and stretch. inetutils: - Released ELA-1103-1, fixing CVE-2019-0053 and CVE-2023-40303 in stretch. Additionally, work was done on dcmtk and glibc for DLAs/ELAs to be released in June.
(E)LTS report for May 2024
I've worked during May 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: gnutls28 (ELA-1090-1) = This involved a lot of triaging and some verdicts were that the version in ELTS are not or only partially affected, so in the end only CVE-2021-4209 has been fixed in this upload, and only for stretch. For this vulnerability, jessie was found not to be affected, as we jessie builds agains nettle2, and the codepath using nettle2 had a check already in place, so the vulnerabilty can not be triggered. Other vulnerabilties triaged and found not affected ELTS: CVE-2024-0567 - vulnerable code not present in ELTS. CVE-2024-28834 - vulnerable code not present in ELTS. CVE-2024-28835/gnutls28 - vulnerable code not present in ELTS. intel-microcode (DLA-3808-1, ELA-1088-1) Intel has released microcode updates, addressing serveral vulnerabilties. This releases updated the microcode packgage to address a few CVEs, see the DLA/ELA for details. frr (oldstable) === As follow up from last month, preparing frr for bullseye too. frr is the same version in buster and bullseye, so porting the version to oldstalbe had a lot of synergies. I'm Currently waiting for the security team's feedback about how to proceed further. firmware-nonfree Salavatore approached me for firmware-nonfree and we've (Ben, Salvatore, /me) used the opportunity at the MDC Berlin to talk how we can align the efforts better to get updated firmware in all suites. Currently bullseye is behind LTS and ELTS, so one point we've agreed on is that I'll tackle bullseye to get that updated. In parallel Ben will work on tools to make it easier / more automated in the future to backport newer firmware to the respectice suites. I've worked on the bullseye update already, but couldn't complete it in May. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
Debian (E)LTS report for May 2024
Hi, This is my first month as a (E)LTS contributor since 2019, it is good to be back :) This month I spent some time going through documentation and setting up my work environment, and the rest of my time I worked on the analysis of the ClamAV 1.0.x backport to (E)LTS releases, namely bullseye (next LTS), buster and stretch. The analysis showed that we need to backport a newer rustc version to those releases to allow the backport, more details can be found in this issue [1] (also the reasoning of why we need ClamAV 1.0.x). I'll keep working on that. I'd like to thank Roberto and Santiago for supporting me during my on-boarding, and also Emilio for helping me with the rust ecosystem in Debian (not too familiar with it). [1] https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/63 Cheers! -- Lucas Kanashiro
Debian (E)LTS report for May 2024
Hi everyone, in April I reviewed Bastien's apache2 security update for jessie and stretch. In the process I also updated the ftf ansible repo to produce VM images compatible with autopkgtest in qemu mode. I also started on updating ansible in bullseye, however was not able finish it yet due to commitments on the Mini-Debconf Berlin [0]. I intend to release the update in the next week. Thanks to our sponsors for financing this work, and to Freexian for coordinating! Regards, Lee Garrett, Debian LTS Team [0] https://wiki.debian.org/DebianEvents/de/2024/MiniDebconfBerlin
(E)LTS report for May 2023
I've worked during May 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = continuing on "Forking repositories for the LTS namespace" LTS: nvidia-graphics-driver: Triaging and evaluation if update to a newer version would make sense. see https://lists.debian.org/debian-lts/2023/05/msg00015.html for conclusion nvidia-graphics-drivers-legacy-390xx: DLA-3418-1 (final upload of final release, as 390-series is EOL upstream) see also https://lists.debian.org/debian-lts/2023/05/msg00015.html. hdf5: Triaging/evaluation if a new upstream version could be applied from the 1.10.x series, however changes are require a SO-NAME bump. firmware-nonfree: Trying to reproduce/work on a reported regression (#1036265) for Edimax (Realtek based) USB Wifi Adapter. libssh: (DLA-2303-1, CVE-2020-16135) as well as triaging if other CVEs are applicable to the buster version. ELTS: = syslog-ng: regresssion update (ELA-832-2) for jessie sqlite: ELA-850-1 (CVE-2016-6153, CVE-2018-8740). Other CVES have been triaged and determined not to affect the ELTS versions. libssh: Triage of CVE-2023-2283 not affecting ELTS. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
(E)LTS report for May 2021
hi, in May 2021 I spent 5.5h managing (E)LTS contributors and onboarding the new coordinator which in the end didn't work out, so I've been resuming this role for the time being. - dispatch work hours for LTS and ELTS - mail and irc communication, incl. - onboarding Lynoure, explaining my work - participate in the monthly team meeting on irc - semi-automatic unclaim packages / too many claimed packages - missing DLAs on www.d.o - publishing my make_report.sh script in git. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
(E)LTS report for May
Hi, During the month of May, I spent 33h on LTS working on the following tasks: - openjdk-7 security update - qemu security update - security-tracker reviews - sqlite3 triage - sox: backported patches, run into stability bug in jessie not happening in sid, bisected it but fix was too invasive so released other fixes - jruby: investigated build issue reported by Abhijith - samba security update - firefox-esr security update - started to look at how to handle firefox-esr 68 for jessie - thunderbird security update - CVE triaging - php5: started with the new issues, but waited for official upstream release - backporting fixes for poppler issues For ELTS I spent 12h on the following: - openjdk-7 security update - intel-microcode: backported security update - php5: backported fixes but waited for upstream release - CVE triaging / frontdesk Cheers, Emilio