April (E)LTS Report

To: debian-lts@lists.debian.org
Subject: April (E)LTS Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Thu, 18 Apr 2019 22:25:55 +0200
Message-id: <[🔎] 20190418202555.GA1498@behemoth.owl.eu.com.local>

Hi,

Here are my LTS and ELTS reports for April 2019.

=================
Debian LTS report

I was allocated 17.25 hours. I have spent all of them in the following
tasks:

hdf5:

  + Triage security backlog. Reproduce issues and coordinate with upstream
    to get rid of our huge undetermined backlog (35+ issues).

faad2:

  + Continue to work on my patch for CVE-2018-20362, coordinate to get it
    reviewed and merged upstream.

    Involved a lot of (painful) research in ISO/IEC 13818-7:2006.

  + Provide in depth analysis for CVE-2018-19887 and prepare a patch.
    Coordinate to get it reviewed and merged upstream.

    Involved a lot of research in ISO/IEC 14496-3:2001.

    (See upstream bug reports for detailed information.)

jinja2:

  + Analyse CVE-2019-10906, develop a POC to assess vulnerability and
    reproduce on all suites. Find related patches and coordinate with
    security team and maintainer for update. Ongoing work.

suricata:

  + Prepare a security update addressing CVE-2018-10243 and CVE-2018-10242,
    test and upload it (DLA-1751-1). Analyse CVE-2018-10244 and mark it
    not-affected in jessie.

misc:

  + CVE triage work for, among others, libvirt, systemd.
  + help Markus diagnose graphicsmagik problems with failing testsuite,
    resulting in jasper regression update later.

==================
Debian ELTS report

I was allocated 9 hours. I have spent all of them in the following
tasks:

suricata:

  + Analyse CVE-2018-10244, CVE-2018-10243 and CVE-2018-10242, not-affected
    in wheezy.

wireshark:

  + Analyse CVE-2019-10902 and CVE-2019-10896, not-affected in wheezy.

    Reproduce CVE-2019-10903, CVE-2019-10901 and CVE-2019-10899. Prepare,
    test and upload a security update addressing these issues (ELA-106-1).

libvirt:

  + Analyse CVE-2019-3886 and mark it not-affected in wheezy.

ncurses:

  + CVE-2018-19217 analysis and triage. Discussion with Sylvain about
    not-affected status.

libxslt:

  + Triage CVE-2019-11068, prepare, test and upload a security update
    addressing this vulnerability (ELA-107-1).

systemd:

  + Analyse CVE-2019-9619 and CVE-2019-3842 and get in coordinate with Mike
    Gabriel for update.

misc:

  + CVE triage

Early report this month. I was allocated less LTS hours than last month and
spent a lot of time on faad2 patches, hdf5 and jinja2 triage. The number of
released DLAs is low (only one in total), but I have four pending
(wireshark, hdf5, faad2 waiting for more patches, and jinja2 for answer
from secteam).

Concerning ELTS, the number of updates was limited to two. Testing the
wireshark update was longer than expected and releasing binaries for both
amd64 and i386 has its overhead.

cheers,
 Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: April (E)LTS Report
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Re: LTS, no-dsa reasoning and sponsored packages
Next by Date: Re: April (E)LTS Report
Previous by thread: Re: Wheezy ELTS?
Next by thread: Re: April (E)LTS Report
Index(es):
- Date
- Thread