ELTS report January 2024
========================

1. ELA-1032-1. Issued a security update of asterisk fixing 2 CVE in Stretch.
               As hinted in the December 2023 report I marked CVE-2023-49786 as
               ignored because the solution introduced a regression.

2. ELA-1037-1. Issued a security update of squid3 fixing 5 CVE in Jessie and
               Stretch. As for CVE-2023-46728 I was unable to address the
               problem because the upstream developers simply declared the
               Gopher protocol as unsupported from now on. I believe this
               decision will not impact any supported squid3 installation.
               We still investigate the security impact of CVE-2023-5824,
               CVE-2023-46846 and CVE-2023-49288.

3. ELA-1040-1. Issued a security update of xorg-server fixing 6 CVE in Stretch.

4. ELA-1043-1. Issued a security update of xorg-server fixing 6 CVE in Jessie.

5. tomcat7/tomcat8. Investigated the impact of CVE-2024-21733 for Jessie and
                    Stretch and CVE-2023-46589 for Jessie. Both issues are
                    rather minor hence why the fix can be postponed.

6. ELA-1046-1. Issued a security update of unbound1.9 fixing 2 CVE in Stretch.

7. ELA-1048-1. Issued a security update of jinja2 fixing CVE-2024-22195 for
               Jessie and Stretch.

8. ELA-1049-1. Issued a security update of evince fixing CVE-2023-51698 in
               Stretch. Eventually I decided against disabling the comic book
               backend and patched Evince to use libarchive instead.

9. I have been ELTS frontdesk from 08.01.2024 to 14.01.2024. I
   triaged and investigated CVE in: cpio, evince, filezilla, freeimage, jinja2,
   libcrypto++, openssl, redis, sqlite3, libebml, liblivemedia, packagekit,
   php-phpseclib, phpseclib, qtbase-opensource-src and proftpd-dfsg.