Debian (E)LTS report for June 2023

2023-08-13 Thread Lee Garrett 
In July I worked on the samba testing framework, which can now provision 
bootable Debian VMs effortlessy, and also Windows VMs with the correct guest 
agents. I have also packaged rhsrvany [0] in the process.


The provisioning part of the test framework will also be useful for other 
functional tests that involve multiple VMs (and possibly different OSes) 
interacting with each other, as this currently can't be easily achieved in 
autopkgtest.


Thanks to the sponsors for financing this work, and to Freexian for
coordinating!

[0] https://tracker.debian.org/pkg/rhsrvany

Regards,
Lee Garrett,
Debian LTS Team

(E)LTS report for June 2023

2023-07-03 Thread Adrian Bunk 
DLAs released:

DLA-3443-1 wireshark
CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952

DLA 3445-1 cpio
CVE-2019-14866 CVE-2021-38185

DLA-3470-1 owslib
CVE-2023-27476

DLA-3472-1 libx11
CVE-2023-3138

DLA-3474-1 systemd
CVE-2022-3821

DLA-3475-1 trafficserver
CVE-2022-47184 CVE-2023-30631 CVE-2023-33933

DLA-3477-1 python3.7
CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733
CVE-2021-3737 CVE-2021-4189 CVE-2022-45061


ELAs released:

ELA-862-1 wireshark (stretch)
CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952

ELA-863-1 cpio (jessie+stretch)
CVE-2019-14866 CVE-2021-38185

ELA-878-1 libwebp (stretch)
CVE-2023-1999

ELA-881-1 libx11 (jessie+stretch)
CVE-2023-3138

ELA-884-1 python3.5 (stretch)
CVE-2015-20107 CVE-2021-4189 CVE-2022-45061

ELA-885-1 python3.4 (jessie)
CVE-2015-20107 CVE-2022-45061

ELA-886-1 ffmpeg (stretch)
CVE-2022-3109 CVE-2022-3341

(E)LTS report for June 2023

2023-07-01 Thread Tobias Frost 
I've worked during June 2023 on the below listed packages, for Freexian
LTS/ELTS [1]

Many thanks to Freexian and our sponsors [2] for providing this opportunity!

LTS:


nvidia-cuda-tools:
 Triaging with the result that an update probably
 does not make sense as fixed for CVEs are not available for the version
 in buster, and a newer version has the danger that it does not support all
 cards that were originally. The libraries might also break ABI.
 See also Andreas reply in the thread starting at
 https://lists.debian.org/debian-lts/2023/06/msg00032.html


LTS and ELTS:
=

php-cas:
 Ongoing work to prepare updated packages for CVE-2017-171,
 an authentication bypass vulnerability (please see the CVE for details.)
 Unfortunatly the change required is API breaking, so reverse dependencies
 needs to be fixed as well. In buster, those are:
 - fusiondirectory (patch for the CVE-2017-171 ready)
 - ocsinventory-server (TODO)

 As users might be using software using php-cas not in Debian, to give them
 an opportunity to fix the pacakges on their side, preliminary packages are
 available. See this thread and replies for more information and where those
 are: https://lists.debian.org/debian-lts/2023/06/msg00058.html

 fusiondirectory needs also some fixes of its own; I'm coordinating the upload
 with Abhijith PA, as they have been working on the package for those.

 The plan is to upload php-cas, fusiondirectory and ocsinventory-server at the
 same time, once ocsinventory-server is ready.

 For stretch, php-cas has only unsupported reverse dependencies in Debian,
 still this needs coordination with users the package to get their
 software updated. After this coordinatio is done, I'll plan to upload php-cas
 for stretch.


ELTS:


yajl:
 ELA-888-1 (stretch/jessie), CVE-2023-33460, a memory leak that can lead to
 DoS.



[1]  https://www.freexian.com/lts/
[2]  https://www.freexian.com/lts/debian/#sponsors

Cheers,
-- 
tobi



signature.asc
Description: PGP signature