LTS report August 2023
======================

1. DLA-3426-3. Issued a regression update for netatalk to fix Debian bug #1043504.

2. DLA-3534-1. Issued a security update for rar fixing 1 CVE in Buster.
               Prepared and uploaded a point-update for Bullseye as well. (#1050044)

3. DLA-3535-1. Issued a security update for unrar-nonfree fixing 1 CVE in Buster.
               Prepared and uploaded a point-update for Bullseye as well. (#1050119)

4. DLA-3540-1. Issued a security update for mediawiki fixing 1 CVE in Buster.

5. DLA-3542-1. Issued a security update for unrar-nonfree fixing 1 CVE in Buster and
               prepared a point update for Bullseye (#1050119).

6. DLA-3543-1. Issued a security update for rar fixing 1 CVE in Buster and
               prepared point updates for Bullseye (#1050044), Bookworm (#1050612).

7. DSA-5490-1 / DLA-3556-1. Issued a security update for aom fixing 7 CVE in Buster/Bullseye.
   I explored the possibility to upgrade aom to version 1.0.0.errata1.avif-1. This
   was not feasible because the version changes the ABI (#997806).

   Looking at the huge diff which is mentioned in the security advisory, the
   solution for CVE-2020-0478 seems to be to introduce a new configuration option
   called CONFIG_AV1_HIGHBITDEPTH which is set to 1 by default. I don't think that
   backporting this switch is useful enough as long as it is enabled by default.
   It is not clear if there would be possible repercussions for
   reverse-dependencies. Hence I decided to ignore this issue.

8. I triaged CVE-2023-30570,libreswan in Buster as not affected.