March Report

To: debian-lts@lists.debian.org
Subject: March Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Sun, 24 Mar 2019 17:57:32 +0100
Message-id: <[🔎] 20190324165732.GA2341@behemoth.owl.eu.com.local>

Hi,

Here is my LTS report for March.

I was allocated 20 hours. I have spent all of them in the following
tasks:

sox:

  + Prepare, test and upload a security update addressing CVE-2017-15371,
    CVE-2017-11359, CVE-2017-11358 and CVE-2017-11332 (DLA 1705-1).

liblivemedia:

  + Analyse liblivemedia patch for CVE-2019-9215 which, IMO, required some
    investigation before going on with the patch (severity was claimed to
    be critical but in the end we had very few info apart from the patch).
    This ended up being quite a lot of work. I produced a proof of concept,
    finally reported these issues on debbugs and prepared updates for both
    jessie and stretch (DLA 1720-1) (DSA-4408-1). Note that some work
    including the poc was not published yet, I plan to do it soon.

sssd:

  + Analyse sssd CVE-2018-16838 and mark it no-dsa: GPO based access
    control not present in jessie.

mysql-connector-python:

  + Investigate CVE-2019-2435 and mark it ignored in jessie. This CVE is
    potentially dangerous, but we have extremely few information about it
    from Oracle. Apart from marking it ignored we could

    1. upgrade to 8.0.14
    2. spend two weeks reverse-engineering the 8.0.14 release to extract
       information about the vulnerability and backport a highly hypothetical
       patch

    but I guess this is all out of the question here.

hdf5:

  + triage work on undetermined issues. There is a huge backlog here, many
    undetermined issues, half-reported, duplicates, etc. I have started the
    triage report but this might take some more time.

kde4libs:

  + Analyse CVE-2019-7443 to determine whether kauth fix applies to
    kde4libs, and whether we should release a dla or not. I concluded
    that it was in fact possible to apply the kauth patch to kde4libs
    but that the impact was way too low to take the risk to introduce
    regressions. I finally marked the issue no-dsa, more info in the
    commit message.

misc:

  + various cve triage and update work of dla-needed.

The report is coming a bit earlier this month, I ran out of hours quite
quickly due to my liblivemedia, kde4libs and hdf5 work. I wanted to
continue my work on faad2 but did not manage to find time for that, so I
will try to finish this next month.

Best Regards,
 Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#925266: two different versions for Jessie install media (8.11.1 for LTS, 8.11.0 for the rest)
Next by Date: ghostscript testing
Previous by thread: Bug#925266: two different versions for Jessie install media (8.11.1 for LTS, 8.11.0 for the rest)
Next by thread: ghostscript testing
Index(es):
- Date
- Thread