I've worked during january on the below listed packages, for Freexian

Many thanks to Freexian and our sponsors [2] for providing this opportunity!



Fix  CVE-2023-34194 and release ELA-1029-1.

Note that this project is dead upstram, but a fork seems active. Opened a bug 
report about switching to fork.


Tried to assess by risk analysis the best path to upgrade mariadb. Proposed to 
team a few actions.


Triaged CVE particularly check CVE-2023-42465 and CVE-2023-7090 not vulnerable 
for stretch/jessie

Apply CVE-2023-2848[67] to stretch. For jessie risk of regression is too hard 
due to lbuf backport.

Add a automatic testsuite for stretch

Wait for review by sudo maintainer.

Tried and succeeded  to backport strecht to jessie. Wait for risk analysis by 
other member of the team.


Add patch for stretch/jessie for fixing SMTP smurgling. 
Allow compilation on backported kernel like in ELTS by patching the makefile.

I also fixed buster in order to allow smooth CVEless upgrade

Autopkgtest fail check unfortunatly, thus I fixed the regression testing 

I released ELA-1039-1 and DLA 3725-1


Backport CVE-2023-27534, CVE-2023-28321, CVE-2023-28322,  CVE-2023-46218 to 

Waiting for rewiew by maintainer



I tried to backport CVE-2023-48795/CVE-2021-36367/CVE-2020-14002 from bullseye, 
and begin a risk analysis
of the backport. Massive code change will render backport hard and I thus 
relinquish the package. 


Triaged CVE-2023-28154 that is not present in webpack3. 
Test and close actions.


Following previous month work I reviewed changes and release DLA-3707-1

keystone & subunit

I fixed CVE-2021-38155/CVE-2021-3563.

Unfortunatly I was not able to compile the fix due to a regression in python 

I traced this to a short read bug upstream 
I backported this fix.

I thus released a bug fix DLA for subunit  DLA-3713-1.

Test shown now that keystone is fixed and I released  DLA-3714-1.


I fixed the last opened CVE  CVE-2023-22084. Unfortunately, CVE fix are not 
indicated by upstream git commit.
So I contacted upstream security officier, that give me the git commit. Mariadb 
upstream will likely publish
a summary of CVE fix and git commit associated in order to improve downstream 
I backaported the fix from mariadb 10.11 to 10.3 then I tested using the 
embdeded test suite.
Unfortunately I have resorted to manual testing due to problem with salsa 
The problem was resorted to pristine-tar bug and we are going to investigate.

I released  DLA-3722-1


Following previous month work and a long mail exchange with redhat security 
report team
about about CVE-2021-3533 and CVE-2021-3532, redhat CNA retired (rejected) this 
two CVEs as


I proposed fix for CVE-2023-28486/CVE-2023-28487 but using backport from 

I found a RC bug  #1061272 by code review, a few part of sudo are not 
recompiled from source, that is problematic security wise for such a program.

I solved this RC bug that block other CVE. I am now waiting from review by 
maintainer about this package, due to huge security implication of sudo.


Backport CVE-2023-27534 to buster

I contacted SuSe security and reported their fixes as incomplete. Rewrite from 

Waiting for review by maintainer

Other work

I tried to help santiago with testing infrastructure.

A special thanks to Wietse Venema from postfix.



[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors



Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to