(E)LTS report for June 2023
I've worked during June 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: nvidia-cuda-tools: Triaging with the result that an update probably does not make sense as fixed for CVEs are not available for the version in buster, and a newer version has the danger that it does not support all cards that were originally. The libraries might also break ABI. See also Andreas reply in the thread starting at https://lists.debian.org/debian-lts/2023/06/msg00032.html LTS and ELTS: = php-cas: Ongoing work to prepare updated packages for CVE-2017-171, an authentication bypass vulnerability (please see the CVE for details.) Unfortunatly the change required is API breaking, so reverse dependencies needs to be fixed as well. In buster, those are: - fusiondirectory (patch for the CVE-2017-171 ready) - ocsinventory-server (TODO) As users might be using software using php-cas not in Debian, to give them an opportunity to fix the pacakges on their side, preliminary packages are available. See this thread and replies for more information and where those are: https://lists.debian.org/debian-lts/2023/06/msg00058.html fusiondirectory needs also some fixes of its own; I'm coordinating the upload with Abhijith PA, as they have been working on the package for those. The plan is to upload php-cas, fusiondirectory and ocsinventory-server at the same time, once ocsinventory-server is ready. For stretch, php-cas has only unsupported reverse dependencies in Debian, still this needs coordination with users the package to get their software updated. After this coordinatio is done, I'll plan to upload php-cas for stretch. ELTS: yajl: ELA-888-1 (stretch/jessie), CVE-2023-33460, a memory leak that can lead to DoS. [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
Debian LTS and ELTS - June 2023
Here is my public monthly report. Thanks to our sponsors for making this possible, and to Freexian for handling the offering. https://www.freexian.com/lts/debian/#sponsors LTS - openssl - Reference/refresh recent patches in the security tracker - DLA 3449-1 (4 CVEs) https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html - ffmpeg - Track fixed CVEs in past upload - DLA 3454-1 (4.1.10->4.1.11 upgrade, with unregistered vulnerabilities) https://lists.debian.org/debian-lts-announce/2023/06/msg00016.html - python-werkzeug/bullseye upcoming DSA - Review (based on my DLA 3346-1 for the same package) - Front-Desk - Mark 16 packages for update - Triage or precise triage for 15+ CVEs - Request new CVE for package 'osslsigncode' - Clean-ups/precisions in work queue and package database - Follow-up on upload-related issues ELTS - sysstat - ELA-866-1 (1 CVE) https://www.freexian.com/lts/extended/updates/ela-866-1-sysstat/ - Front Desk - Associate CVEs from newer, branched Debian packages with different names to older ELTS packages (emacs*, golang*, netty*, openssl*, php*, python*, tomcat*) - Mark 11 supported packages for update - Triage or precise triage for 10+ CVEs - Clean-ups/precisions in work queue Documentation and tooling - Continue discussion on making stable-security build logs public after package release, now involving other teams https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51 https://lists.debian.org/debian-lts/2023/06/msg1.html - Tooling: continue to revamp work queue report ('find-work') (private tooling planned to be made public) - Continue clean-up and finish review processes - Convert work queues (dla_needed.txt, ela_needed.txt) to drop duplicate information - Display warning if the Debian package maintainer requests involvement in LTS uploads (from 'data/packages/lts-do-call-me') - Display age in the work queue for each planned upload - LTS Documentation - TestSuites: ffmpeg: refresh for buster https://lts-team.pages.debian.net/wiki/TestSuites/ffmpeg.html - TestSuites: golang: refresh uploads involving reverse-dependencies https://lts-team.pages.debian.net/wiki/TestSuites/golang.html#finding-reverse-build-dependencies - TestSuites: refresh index, fix mark-up https://lts-team.pages.debian.net/wiki/TestSuites.html https://lts-team.pages.debian.net/wiki/TestSuites/php.html - Development: drop coordinator work from front-desk section, update/simplify 'package-operations' documentation, clarify debian-archive-keyring rationale https://lts-team.pages.debian.net/wiki/Development.html - Guide non-security LTS upload from non-team contributor https://bugs.debian.org/1039489 - Continue internal discussions on packages claimfiles format/workflow - Jitsi team meeting -- Sylvain Beucler Debian LTS Team
Debian LTS report for June 2023
During the month of June 2023 and on behalf of Freexian, I worked on the following: * DLA-3442-1 for nbconvert=5.4-2+deb10u1 [CVE-2021-32862: GHSL-2021-1013 to -1028] https://lists.debian.org/msgid-search/?m=zhteirpktw6wr...@debian.org * DLA-3458-1 for php7.3=7.3.31-1~deb10u4 [CVE-2023-3247] https://lists.debian.org/msgid-search/?m=zjedyafkomsgp...@debian.org * DLA-3460-1 for python-mechanize=1:0.2.5-3+deb10u1 [CVE-2021-32837] https://lists.debian.org/msgid-search/?m=zjg1ykrw4kyn9...@debian.org * DLA-3463-1 for opensc=0.19.0-1+deb10u2 [CVE-2019-6502, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782 and CVE-2023-2977] https://lists.debian.org/msgid-search/?m=ZJI9/b4xxwuwn...@debian.org * DLA-3469-1 for lua5.3=5.3.3-1.1+deb10u1 [CVE-2019-6706 and CVE-2020-24370] https://lists.debian.org/msgid-search/?m=zjtqrum3nm%2bcvj%...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature