LTS Activity Report for November 2017
during November I worked 14 of the allocated 16.5 hours (11h + 5.5h from
previous months) on LTS. During this time I did the following:
* libvorbis: Developed patches for CVE-2017-14632, CVE-2017-11333 (the
later one needs a fix in sox (and other packages) too). I did not
release a DLA yet since I was waiting for feedback from upstream
(which does not seem to happen). So I contacted the security team so
we can fix sid and the stable releases too in December.
* Looked into openexr CVEs. It took me some time to reproduce
CVE-2017-12596 since it didn't show up with either wheezy
nor openexr git master. After using the version the initial reporter
used and bisecting it turned out that this CVE was already addressed
by the fix for another CVE in DLA-1083-1. CVE-2017-14988 was not
worth a separate upload so tagged it as postponed.
* Reworked report-vuln so it can produce the complete bug report
and fire up the mailer to send it to the BTS.
* Created a lts-bts script to contact maintainers about issues in LTS
via the BTS instead of direct mails (no feedback so far on this).
* Tested the libxml2 security update prepared by Thorsten Alteholz
* Prepared and tested Thunderbird 52.5 packages based on Carsten's work
for sid. This resulted on DLA-1199-1 (which was released in December).
* Looked into swftools CVEs. After discussion with Moritz we'll likely
turn it into a package with limited security support since there
are many issues but it's mostly used as a build-dep in Debian.