[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

May (E)LTS Report


Here are my LTS and ELTS reports for May 2019.

Debian LTS report

I was allocated 18 hours. I have spent all of them in the following

  + Continued my triage work. I initially planned to do a first
    upload this month, but was not able to do this within my assigned time.
    Contacted upstream regarding CVE-2018-17432. First upload planned for

  + I have continued my triage work regarding CVE-2019-10906 and
    CVE-2016-10745. After some discussion with the security team we decided
    to mark it no-dsa.

  + Raised upstream's attention on CVE-2019-7732 and CVE-2019-7733. This
    resulted in upstream rejecting CVE-2019-7732 and patching
    CVE-2019-7733. I finally marked CVE-2019-7733 no-dsa.

  + Lots of triage work after last update.
  + Prepare patches for CVE-2018-20196 and submit them for upstream review.
    Will be uploaded once merged, this month. See
  + prepare, test and update a security update addressing CVE-2018-20362,
    CVE-2018-20198, CVE-2018-20197 and CVE-2018-20194 (DLA-1791-1).

  + First triage, contact Markus and Roberto concerning their previous
    work on the matter.
  + Prepare a security update addressing CVE-2019-9956, CVE-2019-11598,
    CVE-2019-11597 and CVE-2019-10650 (DLA 1785-1).

    Backporting these patches was a lot of work. I discovered multiple
    issues in upstream's patches and struggled to explain why the
    CVE-2019-11597 pocs were still affecting jessie after applying
    upstream's patches. It turned out that the upstream's initial patches
    were insufficient...

  + prepare, test and upload a security update addressing CVE-2019-11506,
    CVE-2019-11505, CVE-2019-11474 and CVE-2019-11473 (DLA-1795-1).
  + find minor regressions in 1.3.20-3+deb8u6. Fixed them in DLA-1795-1.

  + prepare, test and upload a security update addressing CVE-2019-10903,
    CVE-2019-10901, CVE-2019-10899, CVE-2019-10895 and CVE-2019-10894
    (DLA 1802-1).

  + start to work on CVE-2019-8339, but did not have enough time this month
    to fulfill my investigations.

  + coordinate work with ELTS on CVE-2019-12221, CVE-2019-12219,
    CVE-2019-12220, CVE-2019-12222. See ELTS report.

  + various triage, see tracker's logs.

Debian ELTS report

I was allocated 15 hours. I have spent all of them in the following

  + prepare, test and upload a security update addressing CVE-2019-10895
    and CVE-2019-10894 (ELA-118-1).
    Backporting patches took a lot of time, but in the end it was worth it
    because this work could be uploaded to both wheezy and jessie.
  + prepare, test and upload a second update fixing CVE-2019-12295 and
    older vulnerabilities: CVE-2017-13767, CVE-2017-9345, CVE-2017-9352 and
    CVE-2017-9617 (ELA-126-1).
  + fix inconsistencies in ELA-75-1.

  + prepare, test and upload a security update addressing CVE-2019-0221

  + Investigate and get in touch with upstream regarding fixes. Finally
    mark no-dsa, given that the impact on reverse dependencies is highly
    negligible and patches rather complex.

  + investigate CVE-2019-12221, CVE-2019-12219, CVE-2019-12220 and
    CVE-2019-12222: should be ignored because they actually affects
    libsdl2-image and sdl-image1.2, not libsdl2/libsdl1.2. The -image
    part of the SDL library is EOL.

  + Perform proper triage for currently open issues. Prepare and test a
    security update addressing CVE-2019-10053 (not uploaded yet, but should
    be done by tomorrow).

  + various triage, see tracker's logs.


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: