LTS report August 2024
======================


1. I discussed how to fix CVE-2024-34750 in tomcat10 with co-maintainer
   Emmanuel Bourg in line with other currently supported tomcat versions. We
   discovered several problems with the proposed upstream patch including test
   failures. Since there were many changes to the HTTP/2 request parsing
   mechanism, we decided to upgrade tomcat10 to the latest upstream release
   instead. The security update is pending.

2. I have been working on a security update for exim4 in bullseye fixing 4 CVE.
   (CVE-2021-38371, CVE-2022-3559, CVE-2023-42117, CVE-2023-42119)

3. I also investigated the currently open CVE in smarty3 (3 CVE) and
   proftpd-dfsg which I had previously worked on in buster and older versions.