[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: August Report


Just wondering how I should spend my LTS hours. If I look at the list of
unclaimed packages for LTS: this list is of packages that are under
control, unclear they are vulnerable, or raise difficult issues. So for
the first time since starting LTS work, I am unsure what I can do that I
am capable of doing safely.

For status reports on these packages I have looked at, see the
references in the email I am replying to -

- this is not counting matrixssl, see my other email for the status of
this, [🔎] 87oa48qd7k.fsf@prune.linuxpenguins.xyz

=== cut ===
The following packages are used by our customers (by order of decreasing importance, more hours means more important):

* openssl (100 %)  
  NOTE: For CVE-2016-2177, some parts of the upstream patch do not apply
  NOTE: because the wheezy version is completely missing the checks being
  NOTE: fixed!  Those checks should probably be added by cherry-picking
  NOTE: additional upstream changes.
  NOTE: Kurt Roeckx considers CVE-2016-2177 and CVE-2016-2178 to be low
  NOTE: priority issues and will fix them after the next release of OpenSSL.

* roundcube (7.19 %)  

* mailman (0.3 %)  
  NOTE: Thijs Kinkhorst said on debian-lts that he wants to have a look

Remaining issues are: (no customers have expressed need for support yet)

* chicken  

* mat  
  NOTE: the fix for this issue: https://security-tracker.debian.org/tracker/TEMP-0826101-4D75EC
  is not available yet. It will be available in next upstream release (already
  in upstream roadmap).

* matrixssl  
  NOTE: the bignum implementation is in crypto/peersec/mpi.c

* wordpress  
  NOTE: Proposed patch for CVE-2015-8834 doesn't seem to work for Wheezy. DB upgrade fails.
=== cut ===

Brian May <bam@debian.org>

Reply to: