[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LTS Activity Report for November 2017

during November I worked 14 of the allocated 16.5 hours (11h + 5.5h from
previous months) on LTS. During this time I did the following:

* libvorbis: Developed patches for CVE-2017-14632, CVE-2017-11333 (the
  later one needs a fix in sox (and other packages) too). I did not
  release a DLA yet since I was waiting for feedback from upstream
  (which does not seem to happen). So I contacted the security team so
  we can fix sid and the stable releases too in December.
* Updated 
* Looked into openexr CVEs. It took me some time to reproduce
  CVE-2017-12596 since it didn't show up with either wheezy
  nor openexr git master. After using the version the initial reporter
  used and bisecting it turned out that this CVE was already addressed
  by the fix for another CVE in DLA-1083-1. CVE-2017-14988 was not
  worth a separate upload so tagged it as postponed.
* Reworked report-vuln so it can produce the complete bug report
  and fire up the mailer to send it to the BTS.
* Created a lts-bts script to contact maintainers about issues in LTS
  via the BTS instead of direct mails (no feedback so far on this).
* Tested the libxml2 security update prepared by Thorsten Alteholz
* Prepared and tested Thunderbird 52.5 packages based on Carsten's work
  for sid. This resulted on DLA-1199-1 (which was released in December).
* Looked into swftools CVEs. After discussion with Moritz we'll likely
  turn it into a package with limited security support since there
  are many issues but it's mostly used as a build-dep in Debian.
 -- Guido

Reply to: