LTS/ELTS Report for December 2019

To: debian-lts@lists.debian.org
Subject: LTS/ELTS Report for December 2019
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 2 Jan 2020 09:34:15 -0500
Message-id: <[🔎] 20200102143415.GA31671@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org

For December 2019 I spent 16.5 on the following LTS tasks:

- php-horde: CVE-2019-12094 and CVE-2019-12095; the former was triaged
  as a minor issue and the latter, initially misattributed to
  php-horde-trean, was fixed in jessie (normal upload), stretch
  (old-stable-proposed-updates), and buster (stable-propsed-updates) in
  coordination with the Security Team and SRMs
- opensc: triaged CVE-2019-19480 and CVE-2019-19481, then handed off to
  Utkarsh Gupta for integration of fix for CVE-2019-19479; reviewed and
  sponsored Utkarsh's upload and published the DLA he prepared
- davical: fixed CVE-2019-18345, CVE-2019-18346, and CVE-2019-18347
- git: began work to backport and integrate patches for all open CVEs, 
  using packages prepared by the Debian Security Team for stretch and by
  the Ubuntu Security Team for xenial as a starting point; work is
  nearly complete

I spent a further 16.5 hours on the following ELTS tasks:

- openjdk-7: finished implementing/integrating autopkgtest tests;
  documented findings and procedures to reproduce implementation so that
  tests can be integrated into next updates of openjdk-8 (jessie) and
  openjdk-7 (wheezy)
- git: began work to backport and integrate patches for all open CVEs,
  using packages prepared by the Debian Security Team for stretch and by
  the Ubuntu Security Team for xenial as a starting point; the wheezy
  version being so much older, the stretch and xenial patches require
  much more backporting work in order to integrate

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Next by Date: RFT: Linux 3.16.80 package
Next by thread: RFT: Linux 3.16.80 package
Index(es):
- Date
- Thread