(E)LTS report for May 2024

I've worked during May 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: gnutls28 (ELA-1090-1) = This involved a lot of triaging and some verdicts were that the version in

[SECURITY] [DLA 3808-1] intel-microcode security update

- Debian LTS Advisory DLA-3808-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 04, 2024 https://wiki.debian.org/LTS

(E)LTS report for April 2024

I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: expat (ELTS) Last month I've woCVE-2023-5242rked on expat for LTS, and the work continued for ELTS -

[SECURITY] [DLA 3797-1] frr security update

- Debian LTS Advisory DLA-3797-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 28, 2024https://wiki.debian.org/LTS

[SECURITY] [DLA 3783-1] expat security update

- Debian LTS Advisory DLA-3783-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 07, 2024https://wiki.debian.org/LTS

(E)LTS report for March 2024

I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (DLA 3757-1, ELA-1054-1) Completed testing on nss and uploaded the package to LTS

[SECURITY] [DLA 3757-1] nss security update

- Debian LTS Advisory DLA-3757-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 10, 2024https://wiki.debian.org/LTS

(E)LTS report for February 2024

I've worked during February 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: nss (WIP) = nss has currently three (buster) and four (jessie,stretch) open vulnerabilties. Some of the

[SECURITY] [DLA 3734-1] openvswitch security update

- Debian LTS Advisory DLA-3734-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 17, 2024 https://wiki.debian.org/LTS

(E)LTS report for January 2024

I've worked during January 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS and ELTS - paramiko - CVE-2023-48795 Unfortunatly only _after_ backporting the patch for CVE-2023-48795 (terrapin) and fighting

[SECURITY] [DLA 3717-1] zabbix security update

- Debian LTS Advisory DLA-3717-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 24, 2024 https://wiki.debian.org/LTS

(E)LTS report for December 2023

I've worked during December 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! opendkim - DLA-3680-1 (This is ELA-1017-1, but for buster) On mentors.d.n a RFS caught my eyes; the package maintainer has worked

[SECURITY] [DLA 3693-1] osslsigncode security update

- Debian LTS Advisory DLA-3693-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 23, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3690-1] intel-microcode security update

- Debian LTS Advisory DLA-3690-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 16, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3681-1] amanda security update

- Debian LTS Advisory DLA-3681-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 03, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3680-1] opendkim security update

- Debian LTS Advisory DLA-3680-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 03, 2023 https://wiki.debian.org/LTS

(E)LTS report for November 2023

I've worked during November 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS: freerdp2: (DLA-3654-1) Third time is a charme. After tackling it in September and October, with DLA-3606-1 fixing a

Re: tinymce git repository

Am 30. November 2023 09:29:32 UTC schrieb Sean Whitton : >Hello Anton, > >Ola added tinymce to dla-needed.txt. > >I found . > >Could you let me know why the repository was archived? > >Thanks. > the repositiory was one of those with an

[SECURITY] [DLA 3655-1] lwip security update

- Debian LTS Advisory DLA-3655-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 18, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3654-1] freerdp2 security update

- Debian LTS Advisory DLA-3654-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 17, 2023 https://wiki.debian.org/LTS

(E)LTS report for October 2023

I've worked during October 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS: firmware-nonfree - ELA-981-1 This was a contiunation of DLA-3596-1, which I've released in September, this time for

[SECURITY] [DLA 3538-2] zabbix regression update

- Debian LTS Advisory DLA-3538-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 21, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3608-1] vinagre update for DLA-3606-1

- Debian LTS Advisory DLA-3608-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3607-1] gnome-boxes update for DLA-3606-1

- Debian LTS Advisory DLA-3607-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3606-1] freerdp2 security update

- Debian LTS Advisory DLA-3606-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS

(E)LTS report for September 2023

I've worked during September 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS: zabbix - ELA-945-1, ELA-957-1 After zabbix has been released in August for buster (DLA-3538-1), I've continued to

[SECURITY] [DLA 3596-1] firmware-nonfree security update

- Debian LTS Advisory DLA-3596-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost September 30, 2023https://wiki.debian.org/LTS

Re: suricata

Hi Adrian, On Mon, Sep 25, 2023 at 03:06:52PM +0300, Adrian Bunk wrote: > On Sun, Sep 24, 2023 at 11:34:55AM +0200, Tobias Frost wrote: > > Hi Adrian, > > Hi Tobias, > > > I've just claimed "suricata" for LTS, and the log says that you've > > already work

suricata

Hi Adrian, I've just claimed "suricata" for LTS, and the log says that you've already worked on the package. Unfortunatly I could not find any repository for your LTS changes, if there are some already, can you advice where to look? -- Cheers, tobi signature.asc Description: PGP signature

(E)LTS report for August 2023

I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! LTS: zabbix - DLA-3538-1 (see advisory for details.) A noteworthy change is for CVE-2013-7484, which changes the way the

[SECURITY] [DLA 3538-1] zabbix security update

- Debian LTS Advisory DLA-3538-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost August 22, 2023 https://wiki.debian.org/LTS

(E)LTS report for July 2023

I've worked during July 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: renderdoc: DLA-3501-1 - CVE-2023-33863, integer overflow possibly allowing RCE - CVE-2023-33864, integer underflow,

[SECURITY] [DLA 3501-1] renderdoc security update

- Debian LTS Advisory DLA-3501-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 25, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3492-1] yajl security update

- Debian LTS Advisory DLA-3492-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 11, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3487-1] fusiondirectory security update and rebuild for php-cas

- Debian LTS Advisory DLA-3487-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA Tobias Frost

[SECURITY] [DLA 3486-1] ocsinventory-server update for php-cas

- Debian LTS Advisory DLA-3486-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3485-1] php-cas security update

- Debian LTS Advisory DLA-3485-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS

Re: CVE-2023-33460, ruby-yajl affected?

On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucariès wrote: > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > Hello, > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > is affected. There is no direct dependency on yajl, where the vulnerability

Re: CVE-2023-33460, ruby-yajl affected?

Am 5. Juli 2023 04:52:48 UTC schrieb Anton Gladky : >Hello, > >I am looking into CVE-2023-33460 and I am not sure that ruby-yajl >is affected. There is no direct dependency on yajl, where the vulnerability >was detected. > >Should ruby-yajl be unmarked as affected by this CVE? > >Thank you >

Re: [SECURITY] [DLA 3478-1] yajl security update

On Sun, Jul 02, 2023 at 01:11:11PM +0200, Tobias Frost wrote: > - > Debian LTS Advisory DLA-3478-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Tobias Fro

[SECURITY] [DLA 3478-1] yajl security update

- Debian LTS Advisory DLA-3478-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 02, 2023 https://wiki.debian.org/LTS

(E)LTS report for June 2023

I've worked during June 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: nvidia-cuda-tools: Triaging with the result that an update probably does not make sense as fixed for CVEs are not

Re: RFC: php-cas (CVE-2022-39369)

/ (The buster php-cas has been updated to include a NEWS file, but is otherwise unchanged. Those are available from https://people.debian.org/~tobi/php-cas/) cheers, -- tobi On Tue, Jun 27, 2023 at 08:46:25PM +0200, Tobias Frost wrote: > Hi, > > time for an small update: > &

Re: RFC: php-cas (CVE-2022-39369)

-- Cheers, tobi On Sat, Jun 24, 2023 at 01:43:12PM +0200, Tobias Frost wrote: > Hi, > > (Adding yadd as suggested on IRC, solicating yadd's input as well) > > Some updates on php-cas: > > I've continued to work on php-cas to better assess > the situation: I've also receiv

Re: RFC: php-cas (CVE-2022-39369)

github.com/fusiondirectory/fusiondirectory/blob/919b407cdf5c409b20c500e6eadecf0c62270aac/include/login/class_LoginCAS.inc#L48C16-L48C16 On Tue, Jun 20, 2023 at 04:14:42PM +0200, Tobias Frost wrote: > (As suggested, I'm moving the discussion to debian-lts@lists.debian.org, > CC'ing > the security te

Re: RFC: php-cas

(As suggested, I'm moving the discussion to debian-lts@lists.debian.org, CC'ing the security team) > On 19/06/2023 18:17, Tobias Frost wrote: > > Hey, > > > > As I am currently preparing a fix for php-cas to tackle CVE-2022-39369 [1], > > and > > as the chan

nvidia-cuda-toolkit for buster

Hi, I'm currently triaging nvidia-cuda-toolkit for buster: buster has 9.2.148-7+deb10u1, which is upstream version 9.2.148 with patch 1 [1] This seems to be the latest upstream version from the 9.2 series, and 9.2.x seem to be EOL, so there is no new upstream release expected to target any bugs

(E)LTS report for May 2023

I've worked during May 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = continuing on "Forking repositories for the LTS namespace" LTS: nvidia-graphics-driver: Triaging

[SECURITY] [DLA 3437-1] libssh security update

- Debian LTS Advisory DLA-3437-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 29, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3431-1] sqlite security update

- Debian LTS Advisory DLA-3431-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 22, 2023 https://wiki.debian.org/LTS

Re: nvidia-graphics-drivers in DLA needed?

On Wed, May 10, 2023 at 06:09:16PM +0200, Emilio Pozuelo Monfort wrote: > On 10/05/2023 11:42, Tobias Frost wrote: > > On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote: > > > On 07/05/2023 10:20, Tobias Frost wrote: > > > > Hi, > > > &

[SECURITY] [DLA 3418-1] nvidia-graphics-drivers-legacy-390xx security update

- Debian LTS Advisory DLA-3418-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 11, 2023 https://wiki.debian.org/LTS

Re: nvidia-graphics-drivers in DLA needed?

On Wed, May 10, 2023 at 10:00:11AM +0200, Emilio Pozuelo Monfort wrote: > On 07/05/2023 10:20, Tobias Frost wrote: > > Hi, > > > > (this thread is linked in dla-needed.txt and such) I'm not sure > > about the status of the nvidia drivers in LTS, so I thought it > &

Re: nvidia-graphics-drivers in DLA needed?

Hi, (this thread is linked in dla-needed.txt and such) I'm not sure about the status of the nvidia drivers in LTS, so I thought it is better to ask if or not we support nvidia-drivers Said that I've juse claimed them from dla-needed.txt and will work on them, unless someone tells me not to do so

Re: (E)LTS report for April 2023

quot;Re: (E)LTS report for April 2023": > > On Mon, May 01 2023 at 12:33:51 +0200, Tobias Frost scribbled > > in "(E)LTS report for April 2023": > > > I've worked during April 2023 on the below listed packages, for Freexian > > > LTS/ELTS [1] > &

(E)LTS report for April 2023

I've worked during April 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = preparing "Forking repositories for the LTS namespace" LTS: intel-mircocode: DLA-3379-1

[SECURITY] [DLA 3390-1] zabbix security update

- Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 12, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3390-1] zabbix security update

- Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 12, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3387-2] udisks2 regression update

- Debian LTS Advisory DLA-3387-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 10, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3387-1] udisks2 security update

- Debian LTS Advisory DLA-3387-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 07, 2023https://wiki.debian.org/LTS

Re: Incomplete: firmware-nonfree (20190114+really20220913-0+deb10u1) buster-security

Hi Philipp, thanks for the notice! On Wed, Apr 05, 2023 at 02:27:03PM +0200, Philipp Hahn wrote: > Hello Tobias, > > According to > > you uploaded the package to "buster-security", but only

(E)LTS report for March 2023

I've worked during March 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: libde265: DLA-3352-1 (10 CVEs, see ELA for details) wireless-regdb: DLA-3356-1 (updating to newer version, for full

[SECURITY] [DLA 3380-1] firmware-nonfree LTS new upstream version (security updates and newer firmware for Linux 5.10)

- Debian LTS Advisory DLA-3380-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 01, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3379-1] intel-microcode security update

- Debian LTS Advisory DLA-3379-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 01, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3356-1] wireless-regdb security update

- Debian LTS Advisory DLA-3356-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 09, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3352-1] libde265 security update

- Debian LTS Advisory DLA-3352-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 04, 2023https://wiki.debian.org/LTS

(E)LTS report for February 2023

I've worked during February 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - wireshark/stretch: DLA-3313-1 (CVE-2022-4345 CVE-2023-0411 CVE-2023-0412 CVE-2023-0413 CVE-2023-0415 CVE-2023-0417)

[SECURITY] [DLA 3340-1] libgit2 security update

- Debian LTS Advisory DLA-3340-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 23, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3313-1] wireshark security update

- Debian LTS Advisory DLA-3313-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 08, 2023 https://wiki.debian.org/LTS

(E)LTS report for January 2023

I've worked during January 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - liapreq2: DLA-3269-1 (CVE-2022-22728) - libde265: DLA-3260-1 (see ELA for CVE list) - modsecurity-apache: DLA-3280-1

[SECURITY] [DLA 3293-1] modsecurity-crs security update

- Debian LTS Advisory DLA-3293-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 30, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3283-1] modsecurity-apache security update

- Debian LTS Advisory DLA-3283-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 26, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3280-1] libde265 security update

- Debian LTS Advisory DLA-3280-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 24, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3269-1] libapreq2 security update

- Debian LTS Advisory DLA-3269-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 14, 2023 https://wiki.debian.org/LTS

(E)LTS report for December 2022

After completing on-boarding in November, I've worked during December  on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: - virglrenderer -- DLA 3232-1, fixing CVEs: CVE-2019-18388 CVE-2019-18389  

[SECURITY] [DLA 3250-1] multipath-tools security update

- Debian LTS Advisory DLA-3250-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 29, 2022 https://wiki.debian.org/LTS

[SECURITY] [DLA 3240-1] libde265 security update

- Debian LTS Advisory DLA-3240-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 15, 2022 https://wiki.debian.org/LTS

[SECURITY] [DLA 3238-1] pngcheck security update

- Debian LTS Advisory DLA-3238-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 13, 2022 https://wiki.debian.org/LTS

Re: pngcheck - use new upstream version?

Hi, On Sat, Dec 10, 2022 at 01:50:48PM +0100, Salvatore Bonaccorso wrote: > Hi Tobias, > > Speaking of rebasing to 3.0.3, this is in fact what will happen for > pngcheck to be released as DSA by Moritz. He did rebuild pngcheck > 3.0.3-1 for bullseye (versioned 3.0.3-1~deb11u1). Thanks for your

pngcheck - use new upstream version?

Hi, I was analyzing pngcheck this morning and I'm unsure how to proceed so any advice would be appreciated :) pngcheck has one CVE open [1], however it seems that there are multiple vulnerabilities, as upstream changelog [2] and homepage [3] mentions them. Unfortuntatly upstream did major

[SECURITY] [DLA 3232-1] virglrenderer security update

- Debian LTS Advisory DLA-3232-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 07, 2022 https://wiki.debian.org/LTS

[SECURITY] [DLA 3176-1] clickhouse security update

- Debian LTS Advisory DLA-3176-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 03, 2022 https://wiki.debian.org/LTS

clickhouse - Please review

Hi, I'm currently working on clickhoue for LTS and imported the repository to the lts-team group [0]. As per git workflow instructions I ask for an exception to enable CI: I can't get CI working as during linking it seems to go OOM on the salsa workers. I've tried disabling lto (the package