Hi, Here are my LTS and ELTS reports for April 2019. ================= Debian LTS report I was allocated 17.25 hours. I have spent all of them in the following tasks: hdf5: + Triage security backlog. Reproduce issues and coordinate with upstream to get rid of our huge undetermined backlog (35+ issues). faad2: + Continue to work on my patch for CVE-2018-20362, coordinate to get it reviewed and merged upstream. Involved a lot of (painful) research in ISO/IEC 13818-7:2006. + Provide in depth analysis for CVE-2018-19887 and prepare a patch. Coordinate to get it reviewed and merged upstream. Involved a lot of research in ISO/IEC 14496-3:2001. (See upstream bug reports for detailed information.) jinja2: + Analyse CVE-2019-10906, develop a POC to assess vulnerability and reproduce on all suites. Find related patches and coordinate with security team and maintainer for update. Ongoing work. suricata: + Prepare a security update addressing CVE-2018-10243 and CVE-2018-10242, test and upload it (DLA-1751-1). Analyse CVE-2018-10244 and mark it not-affected in jessie. misc: + CVE triage work for, among others, libvirt, systemd. + help Markus diagnose graphicsmagik problems with failing testsuite, resulting in jasper regression update later. ================== Debian ELTS report I was allocated 9 hours. I have spent all of them in the following tasks: suricata: + Analyse CVE-2018-10244, CVE-2018-10243 and CVE-2018-10242, not-affected in wheezy. wireshark: + Analyse CVE-2019-10902 and CVE-2019-10896, not-affected in wheezy. Reproduce CVE-2019-10903, CVE-2019-10901 and CVE-2019-10899. Prepare, test and upload a security update addressing these issues (ELA-106-1). libvirt: + Analyse CVE-2019-3886 and mark it not-affected in wheezy. ncurses: + CVE-2018-19217 analysis and triage. Discussion with Sylvain about not-affected status. libxslt: + Triage CVE-2019-11068, prepare, test and upload a security update addressing this vulnerability (ELA-107-1). systemd: + Analyse CVE-2019-9619 and CVE-2019-3842 and get in coordinate with Mike Gabriel for update. misc: + CVE triage Early report this month. I was allocated less LTS hours than last month and spent a lot of time on faad2 patches, hdf5 and jinja2 triage. The number of released DLAs is low (only one in total), but I have four pending (wireshark, hdf5, faad2 waiting for more patches, and jinja2 for answer from secteam). Concerning ELTS, the number of updates was limited to two. Testing the wireshark update was longer than expected and releasing binaries for both amd64 and i386 has its overhead. cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature