ELTS report April 2024
======================


1. Frontdesk duties from 15.04.2024 until 21.04.2024. I have been triaging and
   investigating CVE in apache2, openssl, pillow, less, openjdk-8, netty, openexr,
   tcpdf, pymongo, varnish, ffmpeg, gunicorn and libmojolicious-perl.

2. ELA-1089-1. Issued a security update for less fixing 2 CVE in Stretch and
               Jessie.

3. ELA-1092-1. I have been working on a security update for php7.0 fixing 2 CVE
               in Stretch. (CVE-2024-2756 and CVE-2024-3096).

4. ELA-1091-1. I have been working on a security update for php5 fixing 2 CVE
               in Jessie. (CVE-2024-2756 and CVE-2024-3096).

5. I have been looking closer into the tcpdf problems caused by mishandling
   HTML syntax. I believe a backport would be intrusive because it introduces new
   configuration options. While CVE-2024-22640 is per se a minor issue because
   it would be immediately noticed and would not do much harm, the fix for
   CVE-2024-32489 introduces a whitelist of methods that users are allowed to
   use. This is certainly an improvement but does not nullify the possibility
   of a malicious user who would try to abuse any available method to him by
   manipulating the HTML syntax of a document under their control. The only way
   to avoid that is to restrict access entirely and not process untrusted user
   input.

6. I have been working on CVE-2024-29025 assigned to netty. This issue affects
   netty's ability of decoding multipart requests and the tests have not been
   completed yet. An update will be released for Debian Buster first.