May Report

To: debian-lts@lists.debian.org
Subject: May Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Sat, 9 Jun 2018 20:38:15 -0400
Message-id: <[🔎] 20180610003815.GA1795@hle-laptop.local>

Hi,

May 2018 was my 21th month as a payed Debian LTS contributor.

I was allocated 24.25 hours. I have spent all of them in the following
tasks:

* Continue my tiff work:

  Continue investigations on CVE-2018-8905. Prepare a patch draft, but
  in the end upstream published its own patch before I could submit mine.
  Prepare a wheezy upload shipping upstream's patch and test it:
  DLA 1377-1 and 1378-1.

* Continue my libav work:

  Ask vulnerability reporters to communicate their reproducers. Also,
  take a look at CVE-2018-9841 (not affecting Wheezy/Jessie) and start
  working on CVE-2017-9987, but coming to a mergeable patch is going to
  be quite long.

* Continue my lame work:

  Contact security team and prepare Jessie update 3.99.5+repack1-7+deb8u2
  together with Fabian Greffrath, test it and submit it to the security
  team. Still waiting for their approval for upload.

* Continue my ming work:

 - Prepare, test and upload ming 1:0.4.4-1.1+deb7u9 (DLA-1386-1) fixing
   a new batch of security issues.

 - Reproduce CVE-2018-9132, CVE-2018-9009, CVE-2018-7876, CVE-2018-7866,
   and CVE-2018-7873, prepare patches for these issues and submit them
   to upstream.

 - Take a look at CVE-2018-8964, CVE-2018-8963, CVE-2018-8962, CVE-2018-8961,
   CVE-2018-8807, CVE-2018-7874, and CVE-2018-8806 which are already fixed in
   3a000c7 shipped in 1:0.4.4-1.1+deb7u8. Also take a look at CVE-2018-7877,
   which was already fixed in eea2a55, also shipped in 1:0.4.4-1.1+deb7u8.

 - Take a look at memory leak issues CVE-2017-11705, CVE-2017-11703 and
   CVE-2018-7869 and mark them ignored.

 - Take a look at CVE-2018-11226, start to develop a patch but second part
   of the issue is pretty complex, still working on it.

* Also, I've had a look at the removed packages glitch in the tracker[0].
  In the end Salvatore declared it is not a bug, so I stopped working on it.

* Test Roberto's apache2 update.

Best Regards,
 Hugo

[0] https://lists.debian.org/debian-lts/2018/05/msg00039.html

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: May Report
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Next by Date: My Debian LTS activities in May 2018
Previous by thread: Re: Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?
Next by thread: Re: May Report
Index(es):
- Date
- Thread