LTS Link to heading
Released DLAs Link to heading
-
DLA-2705-1 scilab_5.5.2-4+deb9u1
- CVE-2021-31598: Out-of-bounds write in ezxml_decode() leading to heap corruption
- CVE-2021-31347, CVE-2021-31348: incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read
- CVE-2021-31229: Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write of a one byte constant
- CVE-2021-30485: incorrect memory handling, leading to a NULL pointer dereference in ezxml_internal_dtd()
With this upload not all opened CVEs were closed in this package. Because some of CVEs were not fixed yet by upstream. Added links to upstream bug reports for the following CVEs: CVE-2021-31598 CVE-2021-31348 CVE-2021-31347 CVE-2021-31229 CVE-2021-30485 CVE-2021-26222 CVE-2021-26221 CVE-2021-26220 CVE-2019-20202 CVE-2019-20201 CVE-2019-20200 CVE-2019-20199 CVE-2019-20198 CVE-2019-20007 CVE-2019-20006 CVE-2019-20005 into the data/CVE/list on securoty tracker.
-
DLA-2707-1 sogo_3.2.6-2+deb9u1
- CVE-2021-33054: SOGo does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.
Other LTS-related work Link to heading
-
Many hours were spent, working on ffmpeg, where currently 18 CVEs are opened. Some of them are fixed in git.The work is ongoing.
-
Analyzed CVE-2020-22035 and marked as not-affected for stretch.
-
Analyzed CVE-2020-22034 and marked as not-affected for stretch.
-
Analyzed CVE-2020-22033 and marked as not-affected for stretch.
-
Analyzed CVE-2020-22030 and marked as not-affected for stretch.
-
Analyzed CVE-2020-22029 and marked as not-affected for stretch.
LTS-Meeting Link to heading
I attended the Debian LTS team IRC-meeting this month.