ELTS report October 2023
========================

1. ELA-976-1. Issued a security update for exim4 fixing 2 CVE in Stretch and
              Jessie.

              I triaged CVE-2023-42115 as not affected and CVE-2023-42117 and
              CVE-2023-42119 as no-dsa because those issues are only relevant
              if you cannot trust a proxy-protocol proxy or DNS resolver. Also
              the fixes can be applied later as soon as upstream had time to
              evaluate the problem.

2. mosquitto: Triaged CVE-2023-0809, CVE-2023-3592 and CVE-2023-5632 as not
              affected because the vulnerable code was introduced later.
              I decided to mark CVE-2023-28366 as ignored because the potential
              memory leak requires a rewrite of packet handling core functions.
              The risk of regressions is thus rather high. An upgrade to the
              version in Bullseye would be a sensible approach because this
              version has an excellent test coverage. At the moment I tend to
              ignore this problem because of the regression risks involved.

3. ELA-985-1. Issued a security update for tomcat8 fixing 2 CVE in Jessie and 3
              CVE in Stretch. Jessie was not affected by CVE-2023-44487
              (Rapid Reset Attack) because HTTP2 support was introduced later.

4. ELA-986-1. Issued a security update for tomcat7 fixing 2 CVE in Jessie.
              Jessie was not affected by CVE-2023-44487(Rapid Reset Attack)
              because HTTP2 support was introduced later.

5. ELA-985-2. A regression was found in the Http2UpgradeHandler class of Tomcat 8
              in Stretch introduced by the patch to fix CVE-2023-44487 (Rapid Reset
              Attack). A wrong value for the overheadcount variable forced
              connections to close early. I debugged the problem and released
              the update as ELA-985-2.

6. Jetty9 in Stretch was not affected by CVE-2023-44487 and CVE-2023-36478
   because HTTP2 support was added later. I triaged CVE-2023-40167 and
   CVE-2023-26048 as no-dsa because workarounds exist and those are rather
   minor problems. CVE-2023-36479 (postponed) is more like an announcement for
   developers and a workaround already exists (Fast CGI). I also triaged
   CVE-2023-26049 as no-dsa because I am not aware of any application in Debian
   that makes use of the Cookie parsing feature.

7. I have been working on a security update for postgresql-9.4 in Jessie and
   postgresql-9.6 in Stretch which will be released shortly.