LTS report September 2023
=========================

1. libreswan: I prepared a patch for CVE-2023-38712 and pushed it to our Git
   repository on the experimental branch. However the upstream patch for
   CVE-2023-38710 did not apply at all due to code refactoring. I intend to
   package the version from Bullseye instead as soon as the maintainer uploads
   the security update for Bullseye. I believe this is the best solution since
   libreswan is a leaf package and the maintainer is actively supporting stable
   releases.

2. DSA-5502-1. Issued a security update for xrdp fixing 10 CVE in Bullseye.
   xrdp was already fixed in Debian "Buster" and Debian stable and this update
   improves the consistency across all distributions since Bullseye will be
   the new LTS version in a few months.
   I investigated a possible regression in xrdp (#1052197) which led me to the
   finding that xorgxrdp had to be rebuilt against the new version of xrdp too.

3. DLA-3572-1. Issued a security update for libyang fixing 8 CVE in Buster. The
               update was required to update frr, its only reverse-dependency.

4. DLA-3573-1. Issued a security update for frr fixing 10 CVE in Buster.

   I have been working on a security update for frr. I investigated the
   possibility to fix single issues with targeted patches but eventually
   decided against it because some of them needed other preconditions which
   included backporting much more code from later versions. Since version 6.x is no
   longer supported by the upstream developers, upgrading to the 7.x branch
   makes possible future updates more maintainable.

5. DLA-3576-1. Issued a security update for gls fixing 1 CVE in Buster.

6. DLA-3578-1. Issued a security update for lldpd fixing 1 CVE in Buster.

7. DLA-3580-1. Issued a security update for libapache-mod-jk fixing 1 CVE in
               Buster to address CVE-2023-41081. I prepared and uploaded new
               packages for Bullseye and Bookworm as well, tracked via
               (#1052552 bullseye-pu) and (#1052553 bookworm-pu)

8. DLA-3584-1. Issued a security update for netatalk fixing 1 CVE in Buster.

9. DSA-5507-1 | DLA-3592-1. Issued a security update for jetty9 fixing 5 CVE in
                            Bookworm and Bullseye and 4 CVE in Buster.

               This update was quite extensive mainly due to the changes in
               MultiPart request handling.

10. DLA-3597-1. Issued a security update for open-vm-tools fixing 1 CVE in Buster.

11. DSA-5511-1. Issued a security update for mosquitto fixing 4 CVE in Bookworm
                and 5 CVE in Bullseye.
                I debugged a regression caused by the changes to fix
                CVE-2023-28366 and identified the relevant patches to fix it.
                I triaged CVE-2023-3592 and CVE-2023-0809 as "not affected" for
                Debian Buster because the vulnerable code was introduced in
                later releases. I investigated CVE-2023-28366 and spent a few
                hours backporting the patches. The changes are non-trivial for
                Buster and require careful consideration. A working test suite
                does also not exist in Buster currently. I intend to contact the
                upstream developers of mosquitto and ask for guidance soon.

12. DLA-3599-1. Issued a security update for exim4 fixing 2 CVE in Buster. I
                triaged CVE-2023-41115 as not affected and CVE-2023-42117 and
                CVE-2023-42119 as no-dsa because those problems only exist if
                users are using either untrusted proxies or DNS resolvers.

13. I was LTS frontdesk from 18.09.2023 to 25.09.2023 and triaged various CVE
    and packages.