Debian activities (LTS, ELTS) Link to heading

  • DLA-3638-1 h2o_2.2.5+dfsg2-2+deb10u2

    CVE-2023-44487 was discovered that could potentially be exploited to disrupt server operation.

    The vulnerability in the h2o HTTP/2 server was related to the handling of certain types of HTTP/2 requests. In certain scenarios, an attacker could send a series of malicious requests, causing the server to process them rapidly and exhaust system resources.

  • Front-Desk duties for LTS and ELTS.

    • Double check of CVE-2023-30847 and marked as not-affected in Debian as the affected versions are never been uploaded.
    • mark CVE-2023-41914 for slurm-llnl as EOL.
    • mark CVE-2023-42445 as no-dsa for buster.
    • Add following packages to dla-needed.txt:
      • h20
      • roundcube
      • firefox-esr
      • request-tracker4
      • python-urllib3
      • galera-3
      • knot-resolver
      • memcached (elts)
      • apache2 (elts)
      • rabbitmq-server

Other Debian activities Link to heading

  • boost1.74_1.74.0+ds1-23, closes #1052887
  • golang-github-klauspost-compress_1.17.0+ds1-1~exp1, golang-github-klauspost-compress_1.17.0+ds1-1
  • golang-github-cespare-xxhash_2.2.0-1
  • golang-github-oschwald-maxminddb-golang_1.12.0-1
  • golang-github-nats-io-go-nats_1.30.2-1
  • golang-github-golang-jwt-jwt_5.0.0-1, golang-github-golang-jwt-jwt_5.0.0+really4.5.0-1~exp1
  • alglib_4.0.0-1~exp1
  • alglib_4.0.0-1
  • boost1.81_1.81.0-7, closing #1052892
  • boost1.74 1.74.0+ds1-23, closing #1052887
  • nextcloud-spreed-signaling_1.1.3-1
  • python-pyotp_2.9.0-1
  • benchmark_1.8.3-1
  • h2o_2.2.5+dfsg2-8, fixing CVE-2023-44487, #1054232
  • ocrmypdf_15.2.0+dfsg1-1, fixing #1030339, #1031337, #1031338, #1050101, #1054243
  • boost-defaults_1.83.0.1~exp1
  • golang-github-abbot-go-http-auth_0.4.0-6
  • golang-github-smallstep-cli_0.15.16+ds-4