ELTS report August 2024
=======================


1. ELA-1157-1. Completed the security update for glib2.0 in the Jessie
               distribubtion to fix CVE-2024-34397.

2. I prepared a patch to address CVE-2024-21733 in tomcat9 and tomcat8. While
   on first glance it seemed that the tomcat versions were not affected by
   CVE-2024-34750, a more thorough investigation revealed that tomcat9 was
   indeed vulnerable because the version lacked various HTTP/2 related changes
   from subsequent releases. I considered upgrading tomcat9 to the latest
   supported upstream version and prepared a new Debian release. This would
   have had the advantage of adopting all HTTP/2 improvements over the last
   couple of years and better test coverage. Since there were multiple
   unrelated changes, it also posed a risk of introducing new regressions. I
   finally decided to backport relevant changes only to fix CVE-2024-21733 in
   the near term eventually.