Hi,
December 2017 was my 16th month as a payed Debian LTS contributor.
I was allocated 14 hours. I have spent all of them doing the following
tasks:
* Finish to debug ming CVE-2017-11732 and write a patch addressing this
issue.
https://github.com/libming/libming/issues/80
Merged upstream. Will be integrated in the next upload
(wait for CVE-2017-16898).
* Finish to debug ming CVE-2017-16898 and write a patch addressing this
issue
https://github.com/libming/libming/issues/75
Patch not submitted yet, waiting for some testing. Should be done next
month.
* libav support in wheezy:
Unfortunately, Diego Biurrun (who was handling libav support in
Wheezy) could not take part to the libav efforts this month due
to personal issues, so I had to take the reins. I managed to:
+ Investigate libav CVE-2015-8218: not affected
https://lists.debian.org/debian-lts/2017/12/msg00011.html
+ Investigate libav CVE-2015-8216.
https://lists.debian.org/debian-lts/2017/12/msg00019.html
Even though I originally claimed this CVE to not affect Jessie and
Wheezy, I'm still unable to clearly explain why and a doubt subsists. I
am going to continue my investigations on this CVE next month.
+ Discover FPE in libav 0.8.21 and investigate it.
https://lists.debian.org/debian-lts/2017/12/msg00043.html
I didn't have the time to find the issue behind this vulnerability. I
am planning to investigate this issue further next month.
The backlog is still very high (46 open/undetermined issues now).
Next month I am planning to finish my work on Ming and dedicate the rest
of my assigned hours to my libav related tasks.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
Attachment:
signature.asc
Description: PGP signature