2021/07, FLOSS activity

LTS

This is my fifth month of working for LTS.

Released DLAs

  1. DLA-2705-1 scilab_5.5.2-4+deb9u1

    • CVE-2021-31598: Out-of-bounds write in ezxml_decode() leading to heap corruption
    • CVE-2021-31347, CVE-2021-31348: incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read
    • CVE-2021-31229: Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write of a one byte constant
    • CVE-2021-30485: incorrect memory handling, leading to a NULL pointer dereference in ezxml_internal_dtd()

    With this upload not all opened CVEs were closed in this package. Because some of CVEs were not fixed yet by upstream. Added links to upstream bug reports for the following CVEs: CVE-2021-31598 CVE-2021-31348 CVE-2021-31347 CVE-2021-31229 CVE-2021-30485 CVE-2021-26222 CVE-2021-26221 CVE-2021-26220 CVE-2019-20202 CVE-2019-20201 CVE-2019-20200 CVE-2019-20199 CVE-2019-20198 CVE-2019-20007 CVE-2019-20006 CVE-2019-20005 into the data/CVE/list on securoty tracker.

  2. DLA-2707-1 sogo_3.2.6-2+deb9u1

    • CVE-2021-33054: SOGo does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.

LTS-Meeting

I attended the Debian LTS team IRC-meeting this month.

Other FLOSS activities

  1. One week before the full freeze of Debian Bullseye the release-critical bug #990895 against the package httraqt was filed. Thanks to the reporter I could fix it within the hour after the ticket was created, uploaded as the version httraqt_1.4.9-5, filed an unblock-request, which was approved.