LTS report June 2024
====================

1. After investigating the currently open CVE in ghostscript and preparing a
   security update, I came to the conclusion that the version in buster is not
   affected by CVE-2024-33869 and CVE-2024-33870 because the
   gp_validate_path_len function was introduced later. The fixes for the other
   problems relied on newer ghostscript API and I did not feel comfortable to
   try to address these issues without it. We made the team decision to ignore
   them.

2. DLA-3833-1. Issued a security update for php7.3 fixing 1 CVE in buster.

3. DLA-3834-1. Issued a security update for netty fixing 1 CVE in buster.

4. DLA-3845-1. Issued a security update for dlt-daemon fixing 4 CVE in buster.

5. DLA-3851-1. Issued a security update for gunicorn fixing 1 CVE in buster.

6. DLA-3852-1. Issued a security update for edk2 fixing 1 CVE in buster.

7. DLA-3853-1. Issued a security update for tryton-server fixing one issue also
               known as "zip bomb attack" in buster.

8. DLA-3854-1. Issued a security update for tryton-client fixing one issue also
               known as "zip bomb attack" in buster.

9. CVE-2024-33655,unbound: investigated and finally marked buster as ignored.

    Reasoning: Unbound itself is not affected by the DoS attack but it could be
    part of a distributed denial of service attack against other services/servers
    provided all conditions are met which is non-trivial to do. However the
    patch introduced new configuration options which in turn rely on features
    which are not present in 1.9. For instance there is no cookie support and
    there is also no distinction when unbound is used in a proxy scenario. My
    patch removed the cookie part of the patch and ignored the remote_addr /
    client_addr part and just used the UDP IP addr. I do not feel confident
    enough that this is a proper solution to the problem though. Since there is
    no imminent risk for unbound users we decided to mark this problem as
    ignored.