August LTS Report

To: debian-lts@lists.debian.org
Subject: August LTS Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 26 Aug 2019 17:49:08 -0400
Message-id: <[🔎] 20190826214908.mszhwqjhkb2nhetq@behemoth.owl.eu.com.local>

Hi,

Here is my LTS report for August 2019.

I was allocated 30.5h. I have spent all of them in the following tasks:

xymon:
 + Backport stretch security update to jessie, test it (DLA-1898-1).

389-ds-base:
 + Triage CVE-2019-10224: not affected in the end, but the situation was a bit
   messy and it took longer than expected.

imagemagick:
 + Continue my triage work: this took *a lot* of time, for a variety of reasons:
   upstream does not provide clear security fixes, does not provide clear commit
   messages or any kind of information relative to changes. I have found
   additional security relevant issues in the source code and suggested a
   number of changes to upstream's patches.
 + Following the triage, prepare the security update (DLA-1888-1).

libsdl2:
 + Triage work for CVE-2019-13616 and CVE-2019-13626: this also turned out to be
   longer than expected because upstream did not provide clear indications about
   which patch exactly fixed CVE-2019-13626.

tika:
 + Triage work for recent CVEs, research upstream fixes and ask for confirmation.
 + Upload did not happen yet, because I encountered difficulties while
   backporting the patches to jessie. Furthemore, I could not clearly assess that
   jessie is affected. I am still actively working on this and plan to finish
   next month.

clamav:
 + Work on clamav's zip bomb issue. Open bug report, triage.
 + Upload did not happen yet because I was waiting for Sebastian to release
   0.101.4+dfsg-0+deb9u1. This happened today, so I expect to be able to release
   the jessie update tomorrow.

faad2:
 + Review my previous work, investigate and prepare patches for a few more
   security issues, get them reviewed and merged by upstream. This includes
   *a lot* of triage work, non trivial debugging and requesting a CVE number for
   a temporary entry from our tracker.
 + The last patches have been reviewed and merged this morning, meaning that I
   will be able to release the jessie update in the next days.

Otherwise, the usual triage. I kept an eye on hdf5.

cheers,
 Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: xymon vulnerabilities in jessie, stretch and buster
Next by Date: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Previous by thread: [SECURITY] [DLA 1869-1] firefox-esr security update
Next by thread: <no-dsa> (minor) vs. <ignored> ($not-fixable-because) (was: Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869))
Index(es):
- Date
- Thread