ELTS report November 2023
=========================

1. ELA-1001-1. Issued a security update for postgresql-9.6 fixing 4 CVE in
               Stretch.
               This update included the fix for CVE-2023-39417 which I have
               been working on in October and three new CVE published at the
               beginning of November.

2. ELA-1003-1. Issued a security update for postgresql-9.4 fixing 2 CVE in
               Jessie.
               This update included the fix for CVE-2023-39417 which I have
               been working on in October and the fix for one new CVE,
               CVE-2023-5869. I triaged CVE-2023-5868 as not-affected and
               CVE-2023-5870 as no-dsa because it was a minor issue and only
               exploitable in a unlikely rare edge case.

3. Netty: I marked CVE-2023-44487 in Stretch as ignored because in order to
          properly fix this problem we would have to backport the whole
          codec-http2 module from Buster at the minimum. Everything else would
          not have addressed the problem completely since other issues like
          CVE-2021-21409 and CVE-2021-21295 were already ignored. A simple
          workaround exists by switching to HTTP/1 instead.

4. I have been ELTS frontdesk from 13.11.2023 to 19.11.2023 and triaged newly
   discovered CVE in supported packages.

5. GnuTLS: I investigated CVE-2023-5981 and decided to mark Jessie
           and Stretch as ignored. The patch to fix CVE-2023-5981 relies on a
           new function, gnutls_privkey_decrypt_data2, first introduced in
           version 3.6.5. This may break existing applications. Timing attack
           vulnerabilities are usually hard to exploit because the measurement
           of those differences depends on several factors like processor
           architecture, algorithms used, accuracy of the measurement, etc.

6. ELA-1008-1. Issued a security update for audiofile fixing 2 CVE in Stretch.
               I reviewed the patches prepared by Bastien Roucaries.

7. ELA-1009-1. Issued a security update for symfony fixing 1 CVE in Stretch.

8. ELA-1018-1. Issued a security update for rabbbitmq-server fixing 1 CVE in Stretch.

9. Bouncycastle,CVE-2023-33202: I investigated the impact of a potential denial
                                of service attack and contacted the upstream
                                developers for further information. The
                                investigation has not been concluded yet.

10. I have been working on a security update of squid3 in Jessie and Stretch.
    and investigated the currently six open CVE. The work on these problems is
    still ongoing.