LTS report March 2024
=====================

1. I investigated the open CVE for imlib2 but in the end only the Bullseye
   distribution was affected and the fix for the 3 CVE was trivial.
   The new package is currently available in oldstable-proposed-updates.
   (#1068514)

2. DLA 3780-1 / DSA-5664-1.
   Issued a security update for Jetty 9 fixing 1 CVE (CVE-2024-22201)
   in Buster/Bullseye/Bookworm.

3. DLA 3779-1. Issued a security update for tomcat9 fixing 2 CVE in Buster.
               I triaged CVE-2024-21733 as postponed because the error
               reporting problem is of minor importance and failing tests
               indicate that the patch may break existing setups.

4. DSA-5666-1. Issued a security update for tomcat9 fixing 3 CVE in Bullseye.
               Similar to Buster I marked CVE-2024-21733 as postponed until we
               have determined the root cause of the failing tests.

5. DSA-5665-1. Issued a security update for tomcat10 fixing 3 CVE in Bookworm.
               This update is in line with the tomcat9 updates. Eventually
               tomcat10 will replace tomcat9 in LTS releases.

6. I continued to work on squid. In the meantime team member Daniel Leidert
   could identify the potential patch (rather a code removal) to address
   CVE-2023-49288.

7. I have been working on two security updates for Wordpress which address the
   open CVE in Bullseye and Bookworm. I have already contacted the Debian
   maintainer Craig Small and intend to ask him for a review shortly.

8. I have been updating the libpgjava package because of CVE-2024-1597 in
   Buster and had a look at the remaining issues in Bullseye.