ELTS report November 2024
=========================


1. I have been working on updating libxstream-java and fixing mainly
   CVE-2024-47072 and CVE-2021-43859. It is used in several other important
   packages to parse XML code. This update is mostly done and will be released
   in the 50 week of 2024.

2. I re-visited CVE-2024-10963 in pam, a core linux package. Eventually upstream
   decided to act on the problem and introduced a new configuration option to
   mitigate the problem. The change would require manual interaction by users.
   During the discussion it turned out that the problem was introduced in pam
   1.5.3 which is only shipped in Debian testing and sid. ELTS users are
   not affected.

3. I continued the work on upgrading all tomcat releases in Debian. The new
   versions will be available in the 50/51 week of 2024.