Accepted linux-signed-5.10-i386 5.10.179+3~deb10u1 (source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 28 Jul 2023 23:08:21 +0200 Source: linux-signed-5.10-i386 Architecture: source Version: 5.10.179+3~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Changes: linux-signed-5.10-i386 (5.10.179+3~deb10u1) buster-security; urgency=high . * Sign kernel from linux-5.10 5.10.179-3~deb10u1 . * Rebuild for buster Checksums-Sha1: 4ea80eeba5e943a1b1b64c92cf18bfa834a2b2de 2955 linux-signed-5.10-i386_5.10.179+3~deb10u1.dsc fd98ddf4ce0dcafc6e9424a32d2bc5aac193fa0f 3791236 linux-signed-5.10-i386_5.10.179+3~deb10u1.tar.xz Checksums-Sha256: 3176c1fb15eaf758adccabbd44b9b1f9c60a1adf26c7e2858f1cd2186d668459 2955 linux-signed-5.10-i386_5.10.179+3~deb10u1.dsc e18e223409546b3815104bf15f5dfb017d452fa26f18a789a2289337f05c1d94 3791236 linux-signed-5.10-i386_5.10.179+3~deb10u1.tar.xz Files: 97c3adaf7623b10f9234f91cba9828c4 2955 kernel optional linux-signed-5.10-i386_5.10.179+3~deb10u1.dsc bcd3a74602e6bf3847e297443ec80fe1 3791236 kernel optional linux-signed-5.10-i386_5.10.179+3~deb10u1.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmTJtlgACgkQi0FRiLdO NzaFtBAAgpWYtLKuPx/9Qji1aOfyVrIeDtaNWZvbkkmOXtjVec8MyjHY/NeJ2dWk y3ZlKC5ogyBgh2Z6C4irjjbK9KsrluMvaRxpvlLKbBVTgySrspoHKqkedhmrAOPF XPbM6TFrtT1wc6/UY0/EKs3EWEaF7twvoZLOyAa4kR2OgInTy7LvGw2jh+/XH0NF yKMu3/30mgeJrJV4xL8p1m9hRtw15yjX/r5wnUdxpHppUZX8mABKlW5jB6VvvZ69 CiifGN0l07mFmxvlgg+J31kuPz6cGb9n2JFvT5IEDS2puJyG9cTO4nZV3yRFQRNE SZRqMQAffYeKJA5rb1vVVk4oqEVmZe5sFTG5SLns4TQdLvM8aney/E8TXjm/QXCh FktS1ffcTD3R6qCB/XlRK4F4L5BnM+gyHinc4oeZQA+vGhQaM28Iu1emOg0YBF2i iYz4kbO4SUMER7JRYMs+FiqkZMQ00l3y9eHRA9Mng6PKQyyn2eKQKuPPFDAzeESZ 7PKp7qEu9cDTvbzLTG2n+sZVgl6ZXhlYpWoRNyaJaaJ5BGbqjoNA4VOD88PsLn/w 9yqwOZA9LJvnSL+YJ4p7IRAaPu/4enrLhmlxtZLYvZ7QA/eT0s2xu8DM5jAc8sTO 6AU3maJh8tez93kXdR/6Ks0GmDE8FKPTjjX+IxqvGBOu2bPU35g= =9Rs0 -END PGP SIGNATURE-
Accepted linux-signed-5.10-arm64 5.10.179+3~deb10u1 (source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 28 Jul 2023 23:08:21 +0200 Source: linux-signed-5.10-arm64 Architecture: source Version: 5.10.179+3~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Changes: linux-signed-5.10-arm64 (5.10.179+3~deb10u1) buster-security; urgency=high . * Sign kernel from linux-5.10 5.10.179-3~deb10u1 . * Rebuild for buster Checksums-Sha1: f9beefda54a0e9465fe2a8fa036d1377d7dc9c88 3000 linux-signed-5.10-arm64_5.10.179+3~deb10u1.dsc 4f02a496164182ff5850f0ffc7f428bea66108c9 2591580 linux-signed-5.10-arm64_5.10.179+3~deb10u1.tar.xz Checksums-Sha256: 01e751249c675f5178b937c7aeb397305435a76a8d9ac1d717772e08b5e0d767 3000 linux-signed-5.10-arm64_5.10.179+3~deb10u1.dsc de31ecc0ff4366bc4baa01cf696caeadf093862999558aa370a9d4415e06 2591580 linux-signed-5.10-arm64_5.10.179+3~deb10u1.tar.xz Files: 44da91ab3983ff87a7593470544f1ee9 3000 kernel optional linux-signed-5.10-arm64_5.10.179+3~deb10u1.dsc 05c60860b04e96439d3177516f9e7a0d 2591580 kernel optional linux-signed-5.10-arm64_5.10.179+3~deb10u1.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmTJg/QACgkQi0FRiLdO NzbpPw/9FdeLWwnFSlG358SAhvZbvXYHv5i/u85kL34wua5xUT9gQzUssAeMBTDV cwiWdU377k+Reg4JZIGUmS3IzG8dTRWW4KlmfRbd0fXN20VoDoovyxwFhBBi3VYJ xDLCA9R8yaWYS+hLllvsXYtnZp93g3wtTXHuCegKmtLpu/11LK0F6A//7Usl6UaC KbiyAPjIlJiXC5p1e2U26724Wo5ucSRaMjy7aRi+KjvokJ03UpFA5s1+GbOFYiVm WVqG7OopqfX/5Zkc4IC5bwUrnEedzpiGEWJ3DxgIOWy/Du0RGhWBI/F4+GxqSNbi HP6in/Rkr3v0ibL9FAQ8doooXosiAs4A2uJ96STi+XK7Ub3okMHf9ucB9Hh9qa83 7wUEDnj+yArmnkfY9ZrqHpaKbXF09iIYtpNFR9J2V0gkz6esNk6+6zj/WSirGvsx hobCa42A+zzDfm90WwNiAwGKUsPsKOPytnpMhIx6f3u0u44uudOpIu0Zyx3a3pR3 P5zHtJM4vhgyT9iD3QfPtrjWgi8FI/qc2oPT0HRGA7cuwrECRKUZ+qbIFJ347QfG rBEfIIRUEf4acAEPUCGG+LOtGtm+J0RJvZeJ9m58lGXntJwysisvfCJHiCIiiKqV 5SSWYRRRY0sKJ6bkaan+o9oISBtA1N8lMdV7iE/nn98wtz+PqEw= =a0// -END PGP SIGNATURE-
Accepted linux-signed-5.10-amd64 5.10.179+3~deb10u1 (source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 28 Jul 2023 23:08:21 +0200 Source: linux-signed-5.10-amd64 Architecture: source Version: 5.10.179+3~deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Changes: linux-signed-5.10-amd64 (5.10.179+3~deb10u1) buster-security; urgency=high . * Sign kernel from linux-5.10 5.10.179-3~deb10u1 . * Rebuild for buster Checksums-Sha1: c892439dc3b574e0d6ec4d8baab4bd01698e7ab9 3000 linux-signed-5.10-amd64_5.10.179+3~deb10u1.dsc 2d5bc77e0ee2b89b509564a22bf92ff8b1e5 2848004 linux-signed-5.10-amd64_5.10.179+3~deb10u1.tar.xz Checksums-Sha256: d22b0ae28913cea78a754bbddbee0c6f955f223d02e98ecfed1e9779ef8e8b6e 3000 linux-signed-5.10-amd64_5.10.179+3~deb10u1.dsc 24c45aa92ea03cba2c97c222d2409dbdc4d4694cc99c93c431a1eb31b5b26d18 2848004 linux-signed-5.10-amd64_5.10.179+3~deb10u1.tar.xz Files: 5b1eb1d92e71226b998aa711c0907c0b 3000 kernel optional linux-signed-5.10-amd64_5.10.179+3~deb10u1.dsc 1a214f0569002d7c0521bd9d9f2815a0 2848004 kernel optional linux-signed-5.10-amd64_5.10.179+3~deb10u1.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmTJY3wACgkQi0FRiLdO NzZVfRAAlDyu17uNKuLf2LI6Dy0HWpaE7Sw/JKWdngB2yNnGbLXdDXyHG+eQdjob 0jQIqEsgDmZIeOZ8BVKdIT8wCP5hE0K9Ai1+B/bYTIEdRkt5zg/ia1wLLam2GCmC YTnABKfnPv4ImHgv0EblBr+TGpEVVv0UEgsoPiv+9P3d1bob2/tmGk6XElZob1A2 VH7sXVfx14beSKkVGW5LQMNRIrTz1j17be2jrfyfOgHoRRi+Y4AayJzK6QxyhYwW OCZjGUmXzHDPXrJWFGBwfJrj7Y9ykuzFxEZXSvegmirrCe7kaqyLt5cjSYqpGrLz zDkoaiNcxcXDW3iWWHe3/IIbS0TftH6B7l8HZE5I6kq/d0CK4oXKy1W3KE3l+Op/ gGppNah9RZP1P/yaS+heVz/avxv+jjN77I4oYqCGPo4vtt77zhHxRXe9ad57Q9gC t9zfcmISttg5nsQ59Rm0dMugvt88bzHFHJyRwodYoHlmJZXStQOfoJTrBGvBr2KO crGxy+cDm2JpcdmQRtAvzWXyzFBNhaxzPqbwnxQsHcoRHWN5Jsbc273ZKKKW9vbP dppM59Vph+DwuVMnbariFs0MEQj3WpcsGUjkLFLAIyP+M1V2wpIVFfolVYLPo8iz lEza5svayNf/i7AnAbAY2wK/aNV86PLlo/J5XrgYwrVVDhPcg5Y= =kdAW -END PGP SIGNATURE-
Debian LTS and ELTS - July 2023
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS - nsis - Test and review DLA 3483-1 from Sean Whitton https://lists.debian.org/debian-lts/2023/07/msg00019.html https://lists.debian.org/debian-lts-announce/2023/07/msg5.html - python-git - DLA 3502-1 (1 CVE + 1 pending) https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html - grpc - Investigate status including confusions in CVE descriptions - Drop (no more open issues) ELTS - mailman - Preliminary ELA work - Cancel due to end of ELTS support - python-git - Discover incomplete fix for CVE-2022-24439 and coordinate new fix https://github.com/gitpython-developers/GitPython/pull/1609 - ELA-894-1 (stretch, 1 CVE + 1 pending) https://www.freexian.com/lts/extended/updates/ela-894-1-python-git/ - twisted - Clean-up/refresh Git branches - ELA-896-1 (stretch & jessie, 3 CVEs) https://www.freexian.com/lts/extended/updates/ela-896-1-twisted/ - Front Desk (week 31 1/2) - Start triaging open issues - Re-check qemu open CVEs waiting for official patches - Fix 2 incomplete ELA entries in security trackers - Document sox upstream status - Clean-ups/precisions in work queue and package database Documentation and tooling - Improve work queue report ('find-work') (private tooling planned to be made public) - Query maintainer coordination info from existing 'lts-do-call-me' file - Clean-up package database accordingly and coordinate with 1 maintainer - Fix crash - LTS Documentation - TestSuites: further twisted testing https://lts-team.pages.debian.net/wiki/TestSuites/twisted.html - Fix DLA-3309-1/graphite-web announcement on webmasters notice https://bugs.debian.org/1041539 - Continue discussion on making stable-security build logs public after package release https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51#note_412097 - Internal discussion on GitLab issue-based workflow for package updates - Help newcomers on IRC -- Sylvain Beucler Debian LTS Team
(E)LTS report for July 2023
I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: renderdoc: DLA-3501-1 - CVE-2023-33863, integer overflow possibly allowing RCE - CVE-2023-33864, integer underflow, possibly allowing RCE - CVE-2023-33865, symlink vulnerbility, potential privilege escalation. LTS and ELTS: = yajl: * DLA-3478-1 ELA-888-1: - CVE-2023-33460, a memory leak that can lead to DoS. * DLA-3492-1 ELA-892-1: - CVE-2017-16516, potential DoS due to crash - CVE-2022-24795, potential heap memory corruption when dealing with large (~2GB) input - CVE-2023-33460, a memory leak that can lead to DoS (previous fix was incomplete) yajl is embedded in several other packages, so I've analyzed other packages known to embed it to see if further actions are required. For example, ruby-yajl and xqilla have been found not to be affected. php-cas: DLA-3485-1, ELA-890-1 (stretch) - CVE-2022-39369 (LTS and ELTS/stretch) Service Hostname Discovery Exploitation - CVE-2017-171 (ELTS/stretch) Authentication bypass in very old CAS servers The changes to php-cas, for CVE-2022-39369 were API breaking, so the following packages have been updated to facilitate these changes: - ocsinvetory-sever (DLA-3486-1) - fusiondirectory (DLA-3487-1). This upload also adresses some CVEs, fixed prepared by Abhijith PA. See advisory for details. ELTS: renderdoc: (WIP) (stretch) Currently backporting patches for CVE-2018-14774, CVE-2021-21424, CVE-2022-24894 and CVE-2022-24895. A prelimary package is available, but testing is not yet completed. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
Debian LTS report for July 2023
In July 2023 I've worked on the below listed packages for Freexian LTS/ELTS [1]. Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - amd64-microcode - Release DLA-3511-1 with a new upstream version. ELTS: - python-reportlab - triaged CVE-2023-33733 (no update needed). - samba: - backported patches for https://bugzilla.samba.org/show_bug.cgi?id=15418 and waiting for a decision if we want to continue the support. I have also participated in the (E)LTS meeting and improved the internal documentation and tooling of the team. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers Jochen signature.asc Description: PGP signature
Debian LTS report for July 2023
During the month of July 2023 and on behalf of Freexian, I worked on the following: * DLA-3488-1 for node-tough-cookie=2.3.4+dfsg-1+deb10u1 [CVE-2023-26136] https://lists.debian.org/msgid-search/?m=zkxrmnkoiqoif...@debian.org * DLA-3493-1 for symfony=3.4.22+dfsg-2+deb10u2 [CVE-2021-21424, CVE-2022-24894 and CVE-2022-24895] https://lists.debian.org/msgid-search/?m=zk3jf8mjqvymd...@debian.org * DLA-3496-1 for lemonldap-ng=2.0.2+ds-7+deb10u9 [CVE-2023-28862 and fix incorrect backport for CVE-2021-20874] https://lists.debian.org/msgid-search/?m=zlemv3qczpjl9...@debian.org * DLA-3499-1 for libapache2-mod-auth-openidc=2.3.10.2-1+deb10u3 [CVE-2021-39191 and CVE-2022-23527] https://lists.debian.org/msgid-search/?m=zlcxcsyvnie6p...@debian.org * DLA-3507-1 for pandoc=2.2.1-3+deb10u1 [CVE-2023-35936 and CVE-2023-38745, plus responsible disclosure for the latter] https://lists.debian.org/msgid-search/?m=zmaecno5w6pxb%2...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature