(E)LTS report for March 2024
LTS: cpio: - Added note that upstream considers CVE-2023-7216 (sole unfixed CVE) normal behavior. fontforge: - Released DLA-3754-1, fixing CVE-2020-5395, CVE-2020-5496, CVE-2024-25081 and CVE-2024-25082. - Fixed CVE-2024-25081 and CVE-2024-25082 in sid. - Fixed CVE-2024-25081 and CVE-2024-25082 as DSA-5641-1 in bullseye and bookworm. gtkwave: - Released DLA-3785-1, upgrading to a new upstream version fixing CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444 - Submitted a similar upgrade to unstable. - Submitted similar upgrades to bullseye-security and bookworm-security, where they were released as DSA-5653-1. - The DSA and DLA were released in April, but they are listed here since all work was done and submitted for review in March. gross: - Released DLA-3774-1, fixing CVE-2023-52159. - Submitted the CVE-2023-52159 fix for the next bullseye and bookworm point releases. iwd: - Determined that CVE-2024-28084 does not affect buster. libuv1: - Released DLA-3752-1, fixing CVE-2024-24806. node-xml2js: - Released DLA-3760-1, fixing CVE-2023-0842. postgresql-11: - Released DLA-3764-1, fixing CVE-2024-0985. python2.7: - Determined that CVE-2023-6597 does not affect python2.7. - Released DLA-3771-1, fixing CVE-2024-0450. python3.7: - Released DLA-3772-1, fixing CVE-2023-6597 and CVE-2024-0450. qemu: - Determined that qemu 1:5.2+dfsg-11+deb11u3 in bullseye had fixed CVE-2022-1050 (fix already applied in buster), not CVE-2023-1544. - Determined that CVE-2023-1544 does not affect buster. - Determined that CVE-2023-6683 does not affect <= bullseye. - Determined that CVE-2024-24474 does not affect <= bullseye. - Determined that CVE-2023-42467 does not affect <= bullseye. - Released DLA-3759-1, fixing CVE-2023-2861, CVE-2023-3354 and CVE-2023-5088. tar: - Released DLA-3755-1, fixing CVE-2023-39804. unadf: - Released DLA-3762-1, fixing CVE-2016-1243 and CVE-2016-1244. yard: - Released DLA-3753-1, fixing CVE-2019-1020001 and CVE-2024-27285. ELTS: clamav: - Determined that CVE-2024-20290 and CVE-2024-20328 (sole unfixed CVEs) do not affect jessie or stretch. imlib2: - Determined that CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450 (sole unfixed CVEs) do not affect <= buster. libgit2: - Determined that CVE-2024-24575 does not affect jessie or stretch. - Released ELA-1053-1, fixing CVE-2024-24577 in stretch. libuv1: - Determined that CVE-2024-24806 does not affect stretch. postgresql-9.4: - Released ELA-1061-1, fixing CVE-2024-0985 in jessie. postgresql-9.6: - Released ELA-1060-1, fixing CVE-2024-0985 in stretch. putty: - Determined that CVE-2020-14002 does not affect jessie or stretch. - Determined that CVE-2023-48795 does not affect jessie or stretch. python2.7: - Released ELA-1065-1, fixing CVE-2024-0450 in jessie and stretch. python3.4: - Released ELA-1067-1, fixing CVE-2024-0450 in jessie. python3.5: - Released ELA-1066-1, fixing CVE-2024-0450 in stretch. qemu: - Determined that CVE-2024-26327 does not affect jessie or stretch. - Determined that CVE-2024-26328 does not affect jessie or stretch. - Released ELA-1063-1, fixing CVE-2020-14394, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354 and CVE-2023-5088 in stretch.
(E)LTS report for March 2024
I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (DLA 3757-1, ELA-1054-1) Completed testing on nss and uploaded the package to LTS and ELTS fixing CVE-2024-0743, CVE-2023-5388 and in ELTS additionally CVE-2023-4421. (This is a continuation of February's work, repeating myself for context:) nss has currently three (buster) and four (jessie,stretch) open vulnerabilties. Some of the patches were easy to backport, but there were challenges with CVE-2023-5388 and CVE-2023-6135. For the first one, at the beginning of my work, there was no patch publicly available, albeith some commercial distribution had claimed that they have fixed it already, however I couldn't find the patch. MAYBE that's because they've recently restricted accesss to their source code to their customers only. At least I couldn't find it. However, after asking the LTS team, someone from the team pointed me to patches from AWS and rockylinux and only a few days later upstream commited a patch to their repository. (which was a bit different than the patch found earlier.) The second one, CVE-2023-6135 is a side-channel attack nick named "Minerva". The security tracker lists two relevant patches and they are partially backportable, expect on the parts where the buster code seems not to have the NIST curves, at least not in the files the upstream patch is patching. I've adopted the upstream patches, but I was too unsure about what bits of those patches are acutally required for buster, so I've decided not to apply the patch and keep the CVE unhandled and reached out to upstream to obtain further information about the vulnerablity. Upstream suggested to defer this CVE for now, as they plan to prepare patches for one of their LTS versions and it will make more sense to use those for backporting them to (E)LTS. expat (WIP) === Most of the time I've worked on expat this month to tackle CVE-2023-52425, CVE-2023-52426 and CVE-2023-52427. As expat is a very widely used package, one needs to be extra careful to when tackling stuff there. Fortunatly I found that there is an upstream test suite available in the package. However it was not enabled and when trying to enable it the test suite failed to compile, so I spent some time to fix and re-enable the testsuite and fix the compilation issue. Then it was time to backport the first CVE-2023-52425. The patch is quite of size and after completing the backporting the testsuite was note really happy with several tests failing. After some debugging I've decided to split the patch into the consisting upstream commits and to iterate to an solution, to isolate the commits where the test suite starts failing. This allowed me to debug into the problems and identify some other extra required upstream changes to the library and test suite. In the end the test suite was happy, and the debugging helped to show that the patch for the CVE basically uncovered some bugs in the old test code. The other CVES have been triaged and found to be not affecting/actionable for the LTS and ELTS packages: CVE-2023-52426 is fixing a billion laughs attacks when the library is compiled without XML_DTD defined, which is not the case for Debian. (for the other case it is CVE-2013-0340, however, this vulnerbilty will not be fixes won't be backported due to the risk of regression due to the size, complexity, and new APIs. Expat provides API to mitigate expansion attacks, so this is ultimately under control of the app using Expat. CVE-2023-52427 is not applicable for the LTS/ELTS packages as well: It is actually a limitiation/bug of a function the original CVE-2013-0340 mitigation heuristic, as as we don't have that code… I'm currently finishing testing and will upload the package likely this weekend if the testing is successful. -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
Debian LTS report for March 2024
During the month of March 2024 and on behalf of Freexian, I worked on the following: phpseclib - Uploaded 1.0.19-3~deb10u3 and issued DLA-3749-1. https://lists.debian.org/msgid-search/?m=zeck08zg6y-jz...@debian.org * CVE-2024-27354: An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service. * CVE-2024-27355: When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service. php-phpseclib - Uploaded 2.0.30-2~deb10u3 and issued DLA-3750-1. https://lists.debian.org/msgid-search/?m=zeck396hzvnxm...@debian.org * CVE-2024-27354: An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service. * CVE-2024-27355: When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service. dask.distributed Ended up triaging the package after further testing and bisecting. (CVE-2021-42343 was unreproducible with <2.0 and likely introduced in 2.0.0.) spip Uploaded 3.2.4-1+deb10u13 and issued DLA-3761-1. https://lists.debian.org/msgid-search/?m=zfrhisygvwitl...@debian.org * CVE-2023-52322: XSS vulnerability because input from _request() is not sanitized. nodejs -- Uploaded 10.24.0~dfsg-1~deb10u4 and issued DLA-3776-1. https://lists.debian.org/msgid-search/?m=zgnrglwvgme2a...@debian.org * CVE-2023-30590: Documentation change for generateKeys() API function to align on the actual behavior, that is, only generate a private key if none has been set yet. * CVE-2023-46809: Marvin Attack vulnerability in the privateDecrypt() API of the crypto library. This is a timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding. The fix disables RSA_PKCS1_PADDING and includes a security revert flag that can be used to restore support (and the vulnerability). * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding. * Also backport upstream commit a1121b456c (unit tests for CVE-2022-32212). * Fix DNS unit tests which caused FTFBS in some build environments. libvirt --- Uploaded 5.0.0-4+deb10u2 and issued DLA-3778-1. https://lists.debian.org/msgid-search/?m=zgqmnnznsz4ap...@debian.org (The upload was done on April 1st but all backport and testing work was done in March.) * CVE-2020-10703: NULL pointer dereference in the libvirt API that is responsible for fetching a storage pool based on its target path. * CVE-2020-12430: Memory leak in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. * CVE-2020-25637: Double free memory issue in the libvirt API that is responsible for requesting information about network interfaces of a running QEMU domain. * CVE-2021-3631: SELinux MCS may be accessed by another machine. * CVE-2021-3667: Improper locking in the virStoragePoolLookupByTargetPath API. * CVE-2021-3975: Use-after-free vulnerability. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. * CVE-2021-4147: Deadlock and crash in libxl driver. * CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters. * CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus() function. * CVE-2024-2494: Missing check for negative array lengths in RPC server de-serialization routines. * CVE-2024-2496: NULL pointer dereference in the udevConnectListAllInterfaces() function. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
Debian LTS report for March 2023
In March I worked on the following issues for samba: - CVE-2020-10704 - CVE-2020-10730 - CVE-2020-10745 - CVE-2020-10760 - CVE-2020-14303 I have also reviewed a DLA notice written by Bastien. Thanks to the sponsors for financing this work, and to Freexian for coordinating! Regards, Lee
Debian LTS report for March 2023
During the month of March 2023 and on behalf of Freexian, I worked on the following: * DLA-3347-2 for spip=3.2.4-1+deb10u11 [Regression update for DLA-3347-1] https://lists.debian.org/msgid-search/?m=zaj85ko1lavxw...@debian.org * DLA-3363-1 for pcre2=10.32-5+deb10u1 CVE-2019-20454, CVE-2022-1586 and CVE-2022-1587 https://lists.debian.org/msgid-search/?m=zbkah9bvesqzn...@debian.org * [WIP] Wordpress triaging Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
(E)LTS report for March 2023
I've worked during March 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: libde265: DLA-3352-1 (10 CVEs, see ELA for details) wireless-regdb: DLA-3356-1 (updating to newer version, for full support of backported kernels.) intel-microcode: DLA-3379-1 (CVE-2022-21216 CVE-2022-21233 CVE-2022-33196 CVE-2022-33972 CVE-2022-38090) firmware-nonfree: DLA-3380-1 (11 CVEs, see DLA for details) While retaining old firmware for older kernels, this also adds new firmware to support hardware of newer 5.10 kernels. ELTS: = libde265: ELA-811-1 (10 CVEs, see ELA for details) for stretch pcre2: ELA-816-1 (CVE-2022-1586) for stretch intel-microcode: ELA-825-1 (CVE-2022-21216 CVE-2022-21233 CVE-2022-33196 CVE-2022-33972 CVE-2022-38090) for stretch and jessie. firmware-nonfree: DLA-3380-1 (11 CVEs, see ELA for details) for stretch and jessie. While retaining old firmware for older kernels, this also adds new firmware to support hardware of newer 5.10 kernels (stretch) and 4.19 kernels (jessie). [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
LTS report for March 2023
DLA released: DLA-3377-1 systemd CVE-2023-26604 cu Adrian
LTS report for March 2023
Hi, in March, I took on, at least, one LTS task (hoping that I will get around to some more in the following months…). DLA-3370-1: xrdp security update xrdp had a few open CVEs for buffer overflwos and out of bounds memory access, which Abjilith thankfully already triaged On top of that, I had to get some issues with my LTS development/ build system straight while migrating to a new work laptop. Cheers, Nik signature.asc Description: PGP signature
LTS report for March 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of March I worked on following packages for LTS: * asterisk - Total of 22 CVEs - Fixed 6 CVEs, 5 CVEs as no-DSA (intrusive to backport) - Rest CVEs are of pjproject not affecting stretch - [DLA-2969-1] * pjproject - Almost all work completed in last month - Fixed 2 more CVEs - [DLA 2962-1] [DLA 2962-2] * ring - Work completed in last month - Fixed 2 more CVEs - package in stretch is faulty. Working on that - latest build[1] Regards Abhijith [1] - https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJJSpEACgkQhj1N8u2c KO9gtw/+KOi3xAQK9Sai9+v4wMTHsxIJxv8lIpx3otgs2BHucS4NoLSV2UkWRscT Wy9iZga7+LM/6Tg+c6MFHLPv8wbqnfJiSfDzQKWKJLi/yj4Rr3pCootym1Jn2eVH vGoicyjToNnOzG0ajoDW+0BNQTtC+i1Xyod3kecUC5+FTEbxz9cigjQp0o8zBotM ApBR6z7MnQc3k1+Tel7w6EJiOXptncrRBqpeLtMV5nmNoK9eYFtfSO6VzrVImnX8 KV5XNut4CZNxngPNDk664VRTzMCa2BvOefRuzyWn/j0fndnJbNaPtyMvQtJB/WbP dv5XVzOylLJhjEYps3n7CGTy9cqpmtpcndyRi35fRcO6siTzeAVflkWDMbemCTse vZXYakQPPjMNkzS9f0VL9AYMsfgIIsxJ6kWdX26tfYltkYVtbyabaYWJATxqahqg qsjaj00BV0jwTEmyKPYQIVs1DLvc9JE9tvHkWbsm+yS4bWzYfKPV/Hf2Dnw285uh PV8RHH/dgSlBINynkErKfp0hsm9E6bkb/vLByIBUuguhe2EwoBHD5CmR2idqOk/C q4ada7lmNoKUtVSiPRnEnMuJLzqvQKFVVW+dD/ueK84XCAHBk4U0qm/ilidLsyqy q4Ip2mrS6S/1/xiMI3SmP0+f9Lea1C6s6JieCnXLWYO9v1B+2hw= =yFwO -END PGP SIGNATURE-
LTS report for March 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 March was my 37th month as a Debian LTS paid contributor. I was assigned 9 hours and I spent all of them for the following; * smarty3: Backported patches for CVE-2018-13982, CVE-2021-26119, CVE-2021-26120, CVE-2018-16831. Tested and uploaded. [DLA 2618-1][1] * privoxy: Released [DLA 2587-1][2] and webpage announcements for privoxy_3.0.26-3+deb9u2 uploaded by Roland Rosenfeld. * gsoap: There are 5 CVEs remaining. Combing through the upstream source for patches. Pinged upstream dev for help. * ruby-activerecord-session-store: Marked CVE-2019-25025 as ignored[3] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/04/msg4.html [2] - https://lists.debian.org/debian-lts-announce/2021/03/msg9.html [3] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6228ca3b86631280837cb1601bb368e316fc4307 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBtg84ACgkQhj1N8u2c KO+SZA//RCzhQwfRgguFvfxCutIQuh6/R+3YkOKQZLjHqiY4X2Fu74s04Ad5MqaV Zba46j47zDjHBldEkDw7QLbCWUkGXDgdW84GuaJPsYRN1TczQIKemcCyJOg9mQpc oBv0odkfKtcyH5+Vpd9SrVQI9OBpmMA0kf91jbpTPgXVpkiqVNIfB4HkuJjdmZHh a+brF6+64j7eKu+rLdo2OMQRchv6LyNdYs3uVQF00LpRIb3IzzpbuRm4yX8XkQZC LYAZZkT8vgtTWsUx7Q3fyAuz+TrDrphA7DHxzGi6RsBhLvll2Y8FL5Su2T5tc6Zs P3DqzfFbHdoJhi4E+xTU9tRcyjFYv2cwNh/H+z4/l4rTtPr8mQuPXjFKgbCRNxPC g6X2h4IL49H2zkU+eLoYqTGR+6xvN+76KXudm6A6uAQeM4IJdKtBANsbg8B+Qtu5 vmC7nEBIMsozdOXbzBV8MRhmsPtRTaRW8IfPc8xqnCt/NfvkjUj7V/HCWryS7JRj QfzJjJMRtoqNvdiCd25vGYCUOMdTM6RI9962YfPE7oKL/nbq9ggwvDvdspP79Hwq duiigMn9+cEHFbjhBvU4/yAgFdICjOCCZggl49qBeYC0tZWCjRHbkS+mektsIpK+ Y2Ex5FhR9zmbJ9r++s3vCprXopo9vD/EzmwnOAsaFGN9UorOG2k= =C5i6 -END PGP SIGNATURE-
(E)LTS report for March
Hi, During the last month I spent 19.5 hours on LTS working on the following: - CVE triaging - firefox-esr security update - qemu security update - thunderbird security update - started to look at dak built-using problem - icu security update - started to backport bluez security issue to older version. pondering whether it's worth the regression risk. For ELTS I spent 6 hours on the following tasks: - openjdk-7 regression update - frontdesk - ensuring no supported packages were accidentally marked as EOL Cheers, Emilio
LTS report for March (& February) 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 February I was assigned 14 hours for February. Unfortunately I didn't do anything. I hold 2h and gave back rest to the pool. March = I was assigned 14 hours for March as well plus 2 hours from the previous month. I spent all the hours on the following: * Tomcat8: There were 5 CVEs reported - CVE-2019-12418 fixed and uploaded[1], CVE-2019-17569 was not affecting current version in jessie thus marked as no-affected. Backporting CVE-2019-17563, CVE-2020-1935 and CVE-2020-1938 turned out to be too intrusive and thus marked as no-dsa. Might be upgrading to 8.5.x branch. * ruby2.1: Fixed CVE-2016-2338 and uploaded[2]. * 1 week of front-desk duty ( Marked puppet as not-affected, Added shiro, okular, tika, libperlspeak-perl, ruby2.1, mumble, otrs2 to the dla-needed.txt) * mumble: Following up a regression in last update. * otrs2: 5 CVEs reported - CVE-2020-1771 marked as no-affected, the upstream patch for CVE-2020-1769 is not working as intended. CVE-2020-1770, CVE-2020-1772, CVE-2020-1773 are patched. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html [2] - https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl6I8bkACgkQhj1N8u2c KO9YrQ//ei4rsK3UoC6Jb8TTxCuQu0kg/mMq2XKfYQ0GmpG4oWVSo0yosWkbQljk CdoeU8cKI4AxkNMnyWEtn0xvtRzD5Fo+kEIgPg4GRktILEoka0fUmIPyhz1rs7BA Gw0xtZJYx0sset4lAYB3u9D7uyrlyrCemxTrbU7+cKsE74s5XECevP6ynIgCb8Fy xEK8XZsBxp56FFlXzClQtrLEWN92ASi4IDKFjG0jnsZ3tZ/udBXR9tdifF00aaVn ejv7t+m3E0WDaZCK+VaMQ60bcBdqvuhNwFrGcKwhK7VsxUOHbiUBx+qMUgZdxkm6 TGMT9z5Yis1oK521DmLgRZG6mNZjQGqI8RLufw22NlJu5XDDEEuFZaZa0ML+o8fO lLRz0JQgk2QIS6ewwdf0BthGkxq2StoZjmwqFvgFaSxF7iG5VPHFTTE4Qdb9EjGf kiy+VRqTcqyKVjZEo56mlCfTZ+334qvAL6I6S7ShganwwbK4K1k2ehGa0ijuHCIj /fIOH9dqC+IYb5faI+nTw3w4Vf++dPw/Jt5vxaWzM1Yza6j0TCUWVzUfksJpUYur QUFVpkBGj7jshvEOMrP6zcnY2U8xsfDspIWgZeV9wBN7dXBThOdVwmHaJJyzccYo FmWW/kkvNHFok7u5WOw+CajLW5p99VWQsBpNyBVdnLzJvEuBkV0= =++UJ -END PGP SIGNATURE-
Re: (E)LTS report for March
On 16/04/2019 04:22, PICCORO McKAY Lenz wrote: > but seems wheeze are removed from security debian but still april 14 and > not present at archive debain It is indeed removed from security.debian.org, however it has been archived: http://archive.debian.org/debian/dists/wheezy/ http://archive.debian.org/debian-security/dists/wheezy/ Yet this is talking about extended LTS: https://deb.freexian.com/extended-lts/docs/how-to-use-extended-lts/ Look at that if you want to use it, but note that only a subset of the archive is supported, and only for a limited time, so make sure you only use packages on that subset. Emilio
Re: (E)LTS report for March
but seems wheeze are removed from security debian but still april 14 and not present at archive debain Lenz McKAY Gerardo (PICCORO) http://qgqlochekone.blogspot.com El mié., 10 de abr. de 2019 a la(s) 03:42, Emilio Pozuelo Monfort ( poch...@gmail.com) escribió: > Hi, > > During the month of March, I spent 26 hours working on LTS on the following > tasks: > > libsndfile security update > prepared firmware-nonfree update > ntfs-3g security update > firefox-esr security updates > bash security update > ghostscript coordination > openjdk-7 security update > drupal7 security update > thunderbird security update > tzdata, libdatetime-timezone-perl updates > CVE triaging > > I also spent 16h on ELTS: > > - openjdk-7 security update > - security tracker improvements (pre-commit hook) > - libsndfile security update > - firmware-nonfree update (not yet released) > - ntfs-3g security update > - bash security update > - tiff3 review / feedback > - tzdata, libdatetime-timezone-perl updates > - CVE triaging > > Cheers, > Emilio > >
LTS report for March
Hi, I had posted my monthly report on my blog, which is aggregated at Planet Debian: https://blog.beuc.net/posts/Debian_LTS_-_March_2019/ https://planet.debian.org/ In case some of this list members left the RSS world, I reference it here as well :) Cheers! Sylvain
(E)LTS report for March
Hi, During the month of March, I spent 26 hours working on LTS on the following tasks: libsndfile security update prepared firmware-nonfree update ntfs-3g security update firefox-esr security updates bash security update ghostscript coordination openjdk-7 security update drupal7 security update thunderbird security update tzdata, libdatetime-timezone-perl updates CVE triaging I also spent 16h on ELTS: - openjdk-7 security update - security tracker improvements (pre-commit hook) - libsndfile security update - firmware-nonfree update (not yet released) - ntfs-3g security update - bash security update - tiff3 review / feedback - tzdata, libdatetime-timezone-perl updates - CVE triaging Cheers, Emilio
LTS report for March 2019 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 March 2019 was my 14th month as a Debian LTS paid contributor. I was assigned 14 hours and I spend all of them for the following: * otrs: Fixed CVE-2019-9752, tested and uploaded[1] * wordpress: New version uploaded to fix CVE-2019-8942, CVE-2019-9787 and released DLA[2]. Backporting fixes are not an option for wordpress. No neat description regarding the fixes nor reply from upstream developers. * ruby2.1: Fixed couple of vulnerabilities in the rubygems in ruby2.1 and released DLA[3] * mumble: regression reported[4]. A new build was made which maintainer helped in testing with researcher's PoC but still susceptible to DoS. Will prepare an update with latest version in its point release. * jruby: the same rubygems vulnerability also affects in jruby. Currently jruby in jessie is FTBFS. Working on fixing it and remaining issues. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2019/03/msg00023.html [2] - https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html [3] - https://lists.debian.org/debian-lts-announce/2019/03/msg00037.html [4] - https://github.com/mumble-voip/mumble/issues/3605 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlynZ54ACgkQhj1N8u2c KO80HBAAhFUErKF8TJdYvow4ZVRzMSSwoTN3hKOEdrn4tpEepOskvf4thcw+vSlH sSSSMskLOfy1DKQYbjNE/p3NFg3+/Nam7oOzGoC026NlfuankJJ6QVkSQ+3npFmi qqAwj3JKs0wvSvH6N4DN8awYRszO4HYUoWhelCMpm+nEwXngr7eOnBgezHFZcVwG qqgxyOgMfdcePMF3h6db0IbxBJLplEJfo3Xjpiz6yp6whfyQynQk6apfJpSlKoXF TtiVt8zCcdwXFQcMvj0j+x/1lKHpVafH0Hd7CrLfT1IGoVUFi2p0+LXArEPA8sB1 WZIb5kZIqPTJNe/iAoqfoLPPhdAZoNd0AznAmfqru5Z1hUzyANW6FlxcNrqm13wU IY9Fk8syybJM5O6TAMFe/aTSanzKtHdR3IGoE0A79Z3ybK+Qshyodqpb+8wDQbAu ydXSLs4ntohE1DwcJXMHbfdAvXoFmmCqoPxTE0sOv/9N95lX7ADkuQOrmAeqB99r 4VRiNHni0ZtFO0OAjtAZUiith6b62P3CossVUgoVH2ErFCPwhL6sNhbsAjYC+EFT zzVebGvKITWw7aBE9UaKRggHVCPozFER0iUEMnaDOUhk78fl0fBGdR75G17WwQsY AGKez9TRzUeicM1RhmvhJlz0OZyaS2rAbTHwrgf+nmDoFELjJ7U= =51fL -END PGP SIGNATURE-
LTS report for March 2019
Hours worked: 8 hours Work was started on updates for checkstyle and libmatio. Work on them will be continued in the next days. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
LTS report for March
Hi, Last month I spent 12.5h on LTS as follows: - Prepared and released 3 different updates of firefox-esr - Updated tzdata and libdatetime-timezone-perl - Updated thunderbird - Looked at updating OpenJDK 7 to a newer release for experimental and wheezy (in the end the maintainer did the experimental update). Cheers, Emilio
LTS Report for March 2018
For March I spent 7.5 hours on the gcc retpoline issue. Part was effort toward the attempt to backport Moritz's patches from gcc-4.9 to gcc-4.6 and, when that proved infeasible, the remainder went towards backporting gcc-4.9 to wheezy. Work continues. Regards, -Roberto -- Roberto C. Sánchez
LTS report for March 2018 - Abhijith PA
This is my second month as a Debian LTS paid contributor. I was assigned 8hours and I spend all of it for the following. * golang: Continued my work on Backporting CVE-2018-7187. Thanks to Chris Lamb for uploading and releasing DLA[1] * zsh: Backport CVE-2014-10070, CVE-2014-10071, CVE-2014-10072, CVE-2016-10714, CVE-2017-18206. Test, upload (and released DLA[2] by Chris Lamb) * graphite2: Initial Plan was to backport CVE-2018-7999 and worked on it. But later decided to tag it as 'no-DSA' to follow security team. * uwsgi: Investigated on CVE-2018-7490 and later decided not to upload as it is not affecting wheezy without the uwsgi-plugin-php. Thanks to Gero Treuner for the patch and review. * libvncserver: Backport CVE-2018-7225, test and release DLA[3]. Thanks to Lundqvist for uploading. In my volunteer time I also prepared a security update for phpmyadmin[4][5] in oldstable, but no feedback yet. If someone could review and upload, it will be great. --abhijith [1] https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html [2] https://lists.debian.org/debian-lts-announce/2018/03/msg7.html [3] https://lists.debian.org/debian-lts-announce/2018/03/msg00035.html [4] https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc [5] test instance running my buid: http://159.65.202.84:9001/phpmyadmin/ (pm me for credentials)
LTS report for March
Hi, Last month I was allocated 14.75h and carried over 0.5h from the previous month. I spent 11.75h doing the following: - libice/libxdmcp/xorg-server: investigated and ended up marking all the vulnerabilities as no-dsa. - tzdata/libdatetime-timezone-perl: updated to tzdata 2017a. - firefox-esr: updated to Firefox 45.8.0 ESR. I also looked at Firefox 52 ESR, as 45 is soon to be end of life, and investigated and fixed some build issues. Also tested the resulting package, which works fine. - gdk-pixbuf: marked the issues as no-dsa. - libvpx: backported one of the fixes. The other issue is harder to backport as part of the code has been rewritten. I'm considering marking these issues as no-dsa, but still investigating that. Cheers, Emilio
LTS Report for March 2017
For March I had 22.5 hours available (some carried over from February) and I spent 21.5 hours as follows: - imagemagick: CVE-2016-10062, CVE-2017-6498, CVE-2017-6500: integrated and/or backported fixes, built and tested packages, uploaded, and published DLA - samba: CVE-2017-2619: identified and cherry-picked upstream commits needed prior to applying CVE fix, backported CVE fix patch from upstream, backported patch to fix regression introduced by CVE patch, built and tested packages, requested review and assistance testing candidate packages prior to upload Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature
Re: LTS report for March 2016
Hi Damyan, On Thu, 31 Mar 2016, Damyan Ivanov wrote: > I had 7.35hh left from February allocation. I ended up using none of > them, due to various, mostly personal reasons. > > The perspective for April is not better, so I marked myself as > inactive in contributors.yaml. Since these are leftover hours from > February, I intent to return them to the April allocation pool > (Available:2016:04), please advise if this is the right thing to do. > > For the future, I intent to do some LTS work as an unpaid volunteer, > both to make up for the fail-start, and to have some proof that I can > keep it up. Thanks for the notice. Note however public reports are mandatory only if you have done something on paid time. Given that you give back your undone hours, a simple mail to the private alias would have been enough. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
LTS report for March 2016
I had 7.35hh left from February allocation. I ended up using none of them, due to various, mostly personal reasons. The perspective for April is not better, so I marked myself as inactive in contributors.yaml. Since these are leftover hours from February, I intent to return them to the April allocation pool (Available:2016:04), please advise if this is the right thing to do. For the future, I intent to do some LTS work as an unpaid volunteer, both to make up for the fail-start, and to have some proof that I can keep it up. -- Damyan signature.asc Description: Digital signature