LTS report December 2023
========================

Due to the holiday season at the end of December some of the work was postponed
until January. I intend to update this report with more information in January.
The January 2024 and December 2023 report should be considered as a whole.

1. I investigated CVE-2023-33202 in bouncycastle (Buster) and found the package was
   vulnerable. There have been several changes related to the ASN1 code up
   until now and our lessons learned from newer versions of Bouncycastle was,
   that those changes will break dependencies which have not been upgraded yet.
   Looking at the exploit scenario I decided to ignore CVE-2023-33202 because
   the worst outcome is an out-of-memory error when parsing untrusted
   certificates and a method to avoid the problem is to filter PEM requests.

2. DLA-3696-1. Issued a security update for asterisk fixing 4 CVE in Buster.

3. DLA-3706-1. Issued a security update for netatalk fixing 1 CVE in Buster.

4. DSA-5596-1. Issued a security update for asterisk fixing 4 CVE in Bullseye.

5. DLA-3708-1. Issued a security update for exim4 fixing 1 CVE in Buster.

6. DLA-3709-1. Issued a security update for squid fixing 5 CVE in Buster.
               New CVE have been reported in December and the goal was to
               incorporate those findings into the next DLA. I marked
               CVE-2023-46728 as ignored because the Gopher protocol is no
               longer supported upstream and since it is rarely used these
               days, the easiest way to avoid the problem is to reject Gopher
               URL requests. I reviewed CVE-2023-5824 and found that the code
               changes were significant and finding a proper solution may
               require more time.

7. DSA-xxxx-1. Issued a security update for squid fixing X CVE in Bullseye and
               X CVE in Bookworm.
               The update is pending and is related to DLA-3709-1. Only the
               version in Bookworm is still supported upstream and Bullseye has
               similar issues as the version of Squid in Buster. All in all the
               update is intended to improve the consistency across all Debian
               distributions.

8. I triaged CVE-2023-51764 in postfix as no-dsa because there exists a
   configuration setting to mitigate the problem. The problem is related to
   DLA-3708-1 (exim4).

9. I have been looking into the existing problems in knot-resolver, a
   DNSSEC-validating DNS resolver. The work is still ongoing.