[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

August LTS Report


Here is my LTS report for August 2019.

I was allocated 30.5h. I have spent all of them in the following tasks:

 + Backport stretch security update to jessie, test it (DLA-1898-1).

 + Triage CVE-2019-10224: not affected in the end, but the situation was a bit
   messy and it took longer than expected.

 + Continue my triage work: this took *a lot* of time, for a variety of reasons:
   upstream does not provide clear security fixes, does not provide clear commit
   messages or any kind of information relative to changes. I have found
   additional security relevant issues in the source code and suggested a
   number of changes to upstream's patches.
 + Following the triage, prepare the security update (DLA-1888-1).

 + Triage work for CVE-2019-13616 and CVE-2019-13626: this also turned out to be
   longer than expected because upstream did not provide clear indications about
   which patch exactly fixed CVE-2019-13626.

 + Triage work for recent CVEs, research upstream fixes and ask for confirmation.
 + Upload did not happen yet, because I encountered difficulties while
   backporting the patches to jessie. Furthemore, I could not clearly assess that
   jessie is affected. I am still actively working on this and plan to finish
   next month.

 + Work on clamav's zip bomb issue. Open bug report, triage.
 + Upload did not happen yet because I was waiting for Sebastian to release
   0.101.4+dfsg-0+deb9u1. This happened today, so I expect to be able to release
   the jessie update tomorrow.

 + Review my previous work, investigate and prepare patches for a few more
   security issues, get them reviewed and merged by upstream. This includes
   *a lot* of triage work, non trivial debugging and requesting a CVE number for
   a temporary entry from our tracker.
 + The last patches have been reviewed and merged this morning, meaning that I
   will be able to release the jessie update in the next days.

Otherwise, the usual triage. I kept an eye on hdf5.


                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to: