(E)LTS report for June 2023
I've worked during June 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: nvidia-cuda-tools: Triaging with the result that an update probably does not make sense as fixed for CVEs are not available for the version in buster, and a newer version has the danger that it does not support all cards that were originally. The libraries might also break ABI. See also Andreas reply in the thread starting at https://lists.debian.org/debian-lts/2023/06/msg00032.html LTS and ELTS: = php-cas: Ongoing work to prepare updated packages for CVE-2017-171, an authentication bypass vulnerability (please see the CVE for details.) Unfortunatly the change required is API breaking, so reverse dependencies needs to be fixed as well. In buster, those are: - fusiondirectory (patch for the CVE-2017-171 ready) - ocsinventory-server (TODO) As users might be using software using php-cas not in Debian, to give them an opportunity to fix the pacakges on their side, preliminary packages are available. See this thread and replies for more information and where those are: https://lists.debian.org/debian-lts/2023/06/msg00058.html fusiondirectory needs also some fixes of its own; I'm coordinating the upload with Abhijith PA, as they have been working on the package for those. The plan is to upload php-cas, fusiondirectory and ocsinventory-server at the same time, once ocsinventory-server is ready. For stretch, php-cas has only unsupported reverse dependencies in Debian, still this needs coordination with users the package to get their software updated. After this coordinatio is done, I'll plan to upload php-cas for stretch. ELTS: yajl: ELA-888-1 (stretch/jessie), CVE-2023-33460, a memory leak that can lead to DoS. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
Debian LTS and ELTS - June 2023
Here is my public monthly report.
Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/lts/debian/#sponsors
LTS
- openssl
- Reference/refresh recent patches in the security tracker
- DLA 3449-1 (4 CVEs)
https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- ffmpeg
- Track fixed CVEs in past upload
- DLA 3454-1 (4.1.10->4.1.11 upgrade, with unregistered vulnerabilities)
https://lists.debian.org/debian-lts-announce/2023/06/msg00016.html
- python-werkzeug/bullseye upcoming DSA
- Review (based on my DLA 3346-1 for the same package)
- Front-Desk
- Mark 16 packages for update
- Triage or precise triage for 15+ CVEs
- Request new CVE for package 'osslsigncode'
- Clean-ups/precisions in work queue and package database
- Follow-up on upload-related issues
ELTS
- sysstat
- ELA-866-1 (1 CVE)
https://www.freexian.com/lts/extended/updates/ela-866-1-sysstat/
- Front Desk
- Associate CVEs from newer, branched Debian packages with different
names to older ELTS packages (emacs*, golang*, netty*, openssl*,
php*, python*, tomcat*)
- Mark 11 supported packages for update
- Triage or precise triage for 10+ CVEs
- Clean-ups/precisions in work queue
Documentation and tooling
- Continue discussion on making stable-security build logs public
after package release, now involving other teams
https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51
https://lists.debian.org/debian-lts/2023/06/msg1.html
- Tooling: continue to revamp work queue report ('find-work')
(private tooling planned to be made public)
- Continue clean-up and finish review processes
- Convert work queues (dla_needed.txt, ela_needed.txt) to drop
duplicate information
- Display warning if the Debian package maintainer requests
involvement in LTS uploads (from 'data/packages/lts-do-call-me')
- Display age in the work queue for each planned upload
- LTS Documentation
- TestSuites: ffmpeg: refresh for buster
https://lts-team.pages.debian.net/wiki/TestSuites/ffmpeg.html
- TestSuites: golang: refresh uploads involving reverse-dependencies
https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#finding-reverse-build-dependencies
- TestSuites: refresh index, fix mark-up
https://lts-team.pages.debian.net/wiki/TestSuites.html
https://lts-team.pages.debian.net/wiki/TestSuites/php.html
- Development: drop coordinator work from front-desk section,
update/simplify 'package-operations' documentation,
clarify debian-archive-keyring rationale
https://lts-team.pages.debian.net/wiki/Development.html
- Guide non-security LTS upload from non-team contributor
https://bugs.debian.org/1039489
- Continue internal discussions on packages claimfiles format/workflow
- Jitsi team meeting
--
Sylvain Beucler
Debian LTS Team
Debian LTS report for June 2023
During the month of June 2023 and on behalf of Freexian, I worked on the following: * DLA-3442-1 for nbconvert=5.4-2+deb10u1 [CVE-2021-32862: GHSL-2021-1013 to -1028] https://lists.debian.org/msgid-search/?m=zhteirpktw6wr...@debian.org * DLA-3458-1 for php7.3=7.3.31-1~deb10u4 [CVE-2023-3247] https://lists.debian.org/msgid-search/?m=zjedyafkomsgp...@debian.org * DLA-3460-1 for python-mechanize=1:0.2.5-3+deb10u1 [CVE-2021-32837] https://lists.debian.org/msgid-search/?m=zjg1ykrw4kyn9...@debian.org * DLA-3463-1 for opensc=0.19.0-1+deb10u2 [CVE-2019-6502, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782 and CVE-2023-2977] https://lists.debian.org/msgid-search/?m=ZJI9/b4xxwuwn...@debian.org * DLA-3469-1 for lua5.3=5.3.3-1.1+deb10u1 [CVE-2019-6706 and CVE-2020-24370] https://lists.debian.org/msgid-search/?m=zjtqrum3nm%2bcvj%...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
