2022/01, FLOSS activity

LTS

Released DLAs

  1. DLA-2887-1 lighttpd_1.4.45-1+deb9u1

    • CVE-2018-19052: an issue was discovered in mod_alias_physical_handler in mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of a single directory above an alias target, with a specific mod_alias configuration where the matched alias lacks a trailing ‘/’ character, but the alias target filesystem path does have a trailing ‘/’ character.
  2. DLA-2876-1 vim_2:8.0.0197-4+deb9u4

    • CVE-2017-17087: fileio.c in Vim sets the group ownership of a .swp file to the editor’s primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership.

    • CVE-2019-20807: Users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

    • CVE-2021-3778 Heap-based Buffer Overflow with invalid utf-8 character was detected in regexp_nfa.c in vim.

    • CVE-2021-3796 Heap Use-After-Free memory error was detected in normal.c in vim. A successful exploitation may lead to code execution.

Several packages are in a pipeline and fixes will be released soon.

  • Prepared an update for the FD-dispatch-script and participated in the first (not an easy…) dispatch.
  • Mark CVE-2021-3770 (package vim) as not-affected in stretch
  • Mark CVE-2021-45101 (package condor) as ignored for stretch. The patch was too destructive and many calls, used in this patch are not presented in the version in stretch. Too risky to make an upload.
  • Mark CVE-2022-22707 (package lighttpd) as not-affected in stretch
  • Participated in survey, organized by Freexian

Debian Science Team / Debian electronics team

  • Uploaded:

    • alglib_3.18.0-1
    • dyssol_1.0.0+ds1
    • yade:
      • yade_2022.01a-1
      • yade_2022.01a-2
      • yade_2022.01a-3
      • yade_2022.01a-4
      • yade_2022.01a-5~exp1
      • yade_2022.01a-5~exp2
      • yade_2022.01a-5~exp3
      • yade_2022.01a-5
      • yade_2022.01a-6
      • Package yade is having now different precisions.
    • benchmark_1.6.1-1
    • vtk9_9.1.0+really9.1.0+dfsg2-3~exp2, fixing #1002063
    • vtk9_9.1.0+really9.1.0+dfsg2-3
    • odin_2.0.5-2 to fix FTBFS with vtk9_9.1
    • asl_0.1.7-4, fixing #1004411
  • Sponsored

    • opm-common_2021.10-3
    • opm-material_2021.10-2
    • opm-models_2021.10-2
    • opm-grid_2021.10-1
    • opm-simulators_2021.10-1
    • opm-upscaling_2021.10-1

Other FLOSS activities