LTS Link to heading
Released DLAs, ELAs Link to heading
DLAs: Link to heading
-
DLA-2937-1 gif2apng_1.9+srconly-2+deb9u2
- CVE-2021-45909: heap-based buffer overflow vulnerability in the DecodeLZW function. It allows an attacker to write a large amount of arbitrary data outside the boundaries of a buffer.
- CVE-2021-45910: heap-based buffer overflow within the main function. It allows an attacker to write data outside of the allocated buffer.
- CVE-2021-45911: heap based buffer overflow in processing of delays in the main function.ssh
-
DLA-2948-1 debian-archive-keyring_2017.5+deb9u2
-
This upload did not close any CVEs. It adds bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Stretch.
-
CVE-2021-40401: use-after-free vulnerability exists in the RS-274X aperture definition tokenization functionality. A specially-crafted gerber file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
-
ELAs: Link to heading
-
ELA-579-1 debian-archive-keyring_2017.5~deb8u2
- This upload did not close any CVEs. It adds buster and bullseye signing GPG-keys: automatic Signing Key, stable Release Key, Security Archive Automatic Signing Key for the Jessie release.
-
ELA-581-1 libxml2_2.9.1+dfsg1-5+deb8u12
- CVE-2022-23308: the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug. This issue can result in denial of service.
Several packages are in a pipeline and fixes will be released soon.
Other (E)LTS-related work Link to heading
- Uploaded gif2apng_1.9+srconly-2+deb9u1 with one missing patch. Fixed in gif2apng_1.9+srconly-2+deb9u2 and released DLA
- Analyzed CVE-2022-24986 for stretch. Decided to mark it as ignored. Minor issue, patch is too intrusive to backport.
- Updated documentation for ELTS to make an upload. Initiated the discussion about one source for documentation.
- Analyzed CVE-2021-25636 (libreoffice) and decided not to fix it for stretch.
- Participated in the Debian LTS team IRC-meeting
- Update 42 projects in salsa repo “Packages for (E)LTS” according to DEP-14 schema.
- Fixed CVE-2021-40401 in the gerbv package in the git. Postponed upload due to some more CVEs, not fixed yet by upstream.
- Fixed CVE-2019-13590 in the sox package in the git. Postponed upload due to CVE-2021-40426, not fixed yet by upstream.
- Fixed CVE-2021-4189 and CVE-2021-23336 by the upload of python2.7_2.7.18-13.1 (both were previously fixed for stretch).
- Fixed CVE-2021-40401 in git. Other CVEs do not have a proper patch. Review later.
Debian Science Team / Debian electronics team Link to heading
- Uploaded:
- lammps_20220106.git7586adbb6a+ds1-1
- lammps_20220106.git7586adbb6a+ds1-2
- yade_2022.01a-7
- bme280_0.2.4-1
- luma.emulator_1.4.0-2
- luma.lcd_2.9.0+ds1-2
- luma.oled_3.8.1+ds1-2
Other Debian activities Link to heading
- Voted on the “GR: Voting secrecy”
- Uploaded dokuwiki_0.0.20200729-0.1~bpo11+1 into bullseye-backports
- Uploaded dokuwiki_0.0.20220317_gitaeff85c-0.1_exp1 into experimental
- new lammps will be available in the upcoming Ubuntu LTS 22.04.
Other FLOSS activities Link to heading
- Participated in YADE bimonthly meeting.