Hi, December 2017 was my 16th month as a payed Debian LTS contributor.
I was allocated 14 hours. I have spent all of them doing the following tasks: * Finish to debug ming CVE-2017-11732 and write a patch addressing this issue. https://github.com/libming/libming/issues/80 Merged upstream. Will be integrated in the next upload (wait for CVE-2017-16898). * Finish to debug ming CVE-2017-16898 and write a patch addressing this issue https://github.com/libming/libming/issues/75 Patch not submitted yet, waiting for some testing. Should be done next month. * libav support in wheezy: Unfortunately, Diego Biurrun (who was handling libav support in Wheezy) could not take part to the libav efforts this month due to personal issues, so I had to take the reins. I managed to: + Investigate libav CVE-2015-8218: not affected https://lists.debian.org/debian-lts/2017/12/msg00011.html + Investigate libav CVE-2015-8216. https://lists.debian.org/debian-lts/2017/12/msg00019.html Even though I originally claimed this CVE to not affect Jessie and Wheezy, I'm still unable to clearly explain why and a doubt subsists. I am going to continue my investigations on this CVE next month. + Discover FPE in libav 0.8.21 and investigate it. https://lists.debian.org/debian-lts/2017/12/msg00043.html I didn't have the time to find the issue behind this vulnerability. I am planning to investigate this issue further next month. The backlog is still very high (46 open/undetermined issues now). Next month I am planning to finish my work on Ming and dedicate the rest of my assigned hours to my libav related tasks. Best Regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
signature.asc
Description: PGP signature
