October LTS Report

To: debian-lts@lists.debian.org
Subject: October LTS Report
From: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 28 Oct 2019 10:36:02 +0100
Message-id: <[🔎] 20191028093602.ggw3ztqv4mytv5zy@behemoth.owl.eu.com.local>

Hi,

Here is my LTS report for October 2019.

I was allocated 46.5 hours (22.75h + 23.75h from last month). I have spent
all of them in the following tasks:

clamav:

 + Backport 0.101.4+dfsg-0+deb9u1 to jessie in order to fix the Zip bomb
   issues (DLA-1953-1).

   This triggered an ABI transition, requiring additional uploads to dansguardian,
   havp, python-pyclamav and c-icap-modules.

   Note: tests were long, especially regarding c-icap-modules because I stumbled
   across a variety of bugs. I even needed to fix a Debian packaging bug in order
   to test the package properly.

   This update/transition was not trivial and a regression was found:
   - https://alioth-lists.debian.net/pipermail/pkg-clamav-devel/2019-October/007497.html

   I addressed this issue in DLA-1953-2.

openjpeg2:

 + Triage CVE-2018-21010. Prepare, test and upload a jessie update
   addressing this issue (DLA-1950-1). Prepare, test and submit a
   stretch-pu update addressing this issue (2.1.2-1.1+deb9u4).

libsdl1.2:

 + Prepare test and upload regression update for libsdl1.2 (DLA-1713-2).

libsdl2:

 + Prepare test and upload regression update for libsdl2 (DLA-1714-2).

cacti:

 + Reproduce CVE-2019-16723, produce a detailed report and get it reviewed
   by upstream. Not affected in the end.

pam-python:

 + Start to investigate, open bug report and ask upstream for more
   information. Still ongoing, the maintainer will handle the update.

imagemagick:

 + Investigate CVE-2019-17540, open bug report and ask Dirk Lemstra for more information.
   Update mitre CVE entry. Following this: prepare, test and upload a security update for
   imagemagick (DLA-1968-1).

freeimage:

 + Write a patch for CVE-2019-12211:
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597
   To be upstreamed before releasing a DLA.

python-reportlab:

 + Investigate CVE-2019-17626, still no upstream fix yet.

& various misc triage

regards,
 Hugo

--
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: RFT: Linux 3.16.75 package
Next by Date: Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Previous by thread: RFT: Linux 3.16.75 package
Next by thread: cpio and CVE-2019-14866 for testing
Index(es):
- Date
- Thread