I've worked during april on the below listed packages, for Freexian LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === Putty -------- I have tested putty against terrapin and released DLA 3794-1 Fix of CVE-2024-31497 are proposed and wait review gtkwave ------------ I have reviewed changes by Adrian Bunk. shim ------- I have reviewed CVE and triaged. I have proposed a fix for unstable. Note that shim need a fullbackport (like microcode) for security release. I order to ease the testing of this strategic package I have created a autopkgtestsuite. It will ease to debug boot failure. Note that this package need extra caution due to the potential of breakage (no boot). I am working with maintainer in order to get more testable test case. wpa ----- Buster was fixed and in order to avoid an upgrade regression, I fixed CVE-2023-52160 unstable. I am proposing PU for bookworm/bullseye zookeeper --------------- Following previous month I build ookworm CVE-2024-23944 and proposes a PU I investigated CVE-2024-23944/bullseye and earlier. Seems information leak is present but different may be warrant a no-dsa wait for security team libjson-smart ------------------- In order to avoid an upgrade regression I fix CVE-2023-1370/sid. PU are on the way apache2 ------------ I am reviewing the change of maintainer Yadd for buster. I discover that fossil and unreleated package are broken by fix of CVE-2024-24795. I am investigating other kind of breakage. ELTS ==== sendmail ------------- Following previous month I fix jessie NUL REJECT. We tried we ubuntu team to clarify border case of SMTP smuggling attack. We post a risk analysis and disclose some finding at https://marc.info/?l=oss-security&m=171447187004229&w=2 Partial conclusion is that SMTP standard need to be rewritten to take in account the SMTP smuggling risk. We have a few meeting with standard body members about this issue. It was mainly risk analysis and contact with other SMTP implementation. apache2 ------------ Backport CVE-2023-31122/CVE-2023-38709/CVE-2024-24795 to stretch Propose fix for jessie Wait for review. Try to find POC by contacting upstream. fossil ------- Try to work on fix. Backport is likely the best stuff to do due to huge changes. putty -------- Verify that putty/stretch putty/jessie is unaffected by CVE-2024-31497. Filezilla is still affected Other works ========== I attempt montly meeting of teams. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca