Debian LTS and ELTS -- February 2024

[Daniel Leidert]

Hi,

I was working mostly on runc this month, backporting the patches to fix
and harden runc in Buster against CVE-2021-43784 and CVE-2024-21626,
issueing DLA 3735-1.

I also prepared the same patchset for runc for ELTS because it seemed
that the version from Buster had been uploaded to Stretch. However, I
couldn't find the version of runc that is in Git (and prepared for
Stretch) in any Stretch repository, and then ran out of time. Thus, I
have not gone any further there yet.

I also checked again cairosvg and CVE-2023-27586, which I had
originally examined back in April last year. Due to my recent findings,
that I reported, I did not go forward.

Thanks to Freexian and Freexian's sponsors for making these projects
possible: .

Regards, Daniel



signature.asc
Description: This is a digitally signed message part

Debian LTS and ELTS - February 2024

[Sylvain Beucler]

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors


LTS

- cacti
  - Finish triaging and backporting CVEs growing backlog
  - Update the security tracker with numerous incorrect or missing
patches, and CVE limitations
  - Report duplicate CVEs to MITRE
  - Test CVE fixes
  - Find and report incomplete fix to Cacti upstream, and contribute
patch; waiting for their answer (GHSA-grj5-8fcj-34gh)
  - Contribute package update for (non-LTS) bullseye/oldstable and
bookworm/stable, waiting for review from Debian maintainer and
security team


ELTS

- python3.4
  - Review and clean-up preliminary work by other contributor
  - Debug and rework Salsa CI setup
  - Multiple fixes to test suite


Documentation and tooling

- Identify contributor-level issue with freexian administrative
  tooling and help test

- Documentation
  - (internal) improves notes on reproducing ELTS autopkgtest setup
locally
  - TestSuites: improves python3 notes
https://lts-team.pages.debian.net/wiki/TestSuites/python3.html

- Jitsi meeting

-- 
Sylvain Beucler
Debian LTS Team

Debian LTS and ELTS -- February 2024

[Sean Whitton]

Hello,

This was my eighth month working on LTS and ELTS.  Thank you to Freexian
and Freexian's sponsors for making these projects possible:


LTS

- libssh

  - Finished backporting fixes for CVE-2020-16135, CVE-2023-6004,
CVE-2023-6918 and CVE-2023-48795.

I was able to finish backporting upstream's fixes to the version of
libssh that we have in buster.  The patches are different to
upstream's in several ways, so the backporting requires review.
I've documented the situation and put the package back in the queue,
seeking peer review.

Jakub Jelen of RedHat, one of libssh's developers, has been very
helpful in answering some questions.  There remains some doubt about
whether the fix I've committed for CVE-2023-6918 is safe, but Jakub
has provided some guidance on determining whether it is.  I intend
to wait for a review from another LTS team member before proceeding.

- libgit2

  - Released DLA-3742-1 fixing CVE-2024-24577.

- pillow

  - While working on an ELTS update for Pillow, I discovered that our
fix for an old vulnerability, CVE-2022-22817, may not be complete.
I'm still investigating just which suites require further changes.

ELTS

- pillow

  - I've been working to prepare a fix for CVE-2023-50447.
In the process, I discovered that our fix for an old vulnerability,
CVE-2022-22817, may be incomplete, and I'm now investigating.

-- 
Sean Whitton


signature.asc
Description: PGP signature