December Report

To: debian-lts@lists.debian.org
Subject: December Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Fri, 28 Dec 2018 09:28:08 +0100
Message-id: <[🔎] 20181228082808.GA1916@hle-laptop.local>

Hi,

Here is my LTS report for December.

I was allocated 20 hours. I have spent all of them in the following
tasks:

* libsndfile:

  + investigate CVE-2018-19432 and show it is a duplicate of
    CVE-2018-13139. Do not ask for CVE rejection though since
    issues have different symptoms/paths and seem to be
    (legitimately) registered under different categories.

  + investigate CVE-2018-19661, CVE-2018-19662, CVE-2017-17456
    and CVE-2017-17457, show that they are not duplicates,
    prepare a patch addressing these issues and get it reviewed by
    upstream (was merged in master).

  + investigate CVE-2017-14245 and CVE-2017-14246 and show they are
    duplicates of CVE-2017-17457 and CVE-2017-17456. Ask for CVE
    rejection.

  + prepare security update addressing CVE-2018-13139, CVE-2018-19432
    CVE-2017-8365, CVE-2017-8363, CVE-2017-8362, CVE-2017-8361,
    CVE-2017-14634, CVE-2017-17457, CVE-2017-17456, CVE-2017-14246,
    CVE-2017-14245, CVE-2018-19662 and CVE-2018-19661. Test and publish
    it (DLA 1618-1).

  + take a look at CVE-2018-19758, report bug on upstream bug tracker
    (was only tracked on redhat's bug tracker) and start investigating
    the issue.

* openjpeg2:

  + finish my patch for CVE-2018-6616 and get it reviewed by upstream
    (was merged in master).

  + find patch for CVE-2018-14423, update the tracker.

  + prepare security update shipping previous patches, test and upload
    it (DLA 1614-1).

* tiff:

  + update my patch for CVE-2018-19210 according to upstream's review. The
    patch is still under review at the moment.

  + investigate undetermined issue CVE-2018-5360 and show it is a duplicate
    of older issue CVE-2014-8127. Ask for CVE rejection.

* sleuthkit:

  + prepare a security update addressing CVE-2018-19497, test and upload
    it (DLA-1610-1).

* graphicsmagick:

  + Investigate CVE-2018-20184, come with a trimmed down version of
    upstream patch.

  + Prepare test and upload a security update addressing CVE-2018-20184,
    CVE-2018-20185 and CVE-2018-20189 (DLA 1619-1).

Best Regards,
 Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: MySQL 5.5 EOL before Debian 8 LTS ends
Next by Date: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Previous by thread: [SECURITY] [DLA 1617-1] libvncserver security update
Next by thread: LTS report for December 2018 - Abhijith PA
Index(es):
- Date
- Thread