Hi, Here are my LTS and ELTS reports for May 2019.
=================
Debian LTS report
I was allocated 18 hours. I have spent all of them in the following
tasks:
hdf5:
+ Continued my triage work. I initially planned to do a first
upload this month, but was not able to do this within my assigned time.
Contacted upstream regarding CVE-2018-17432. First upload planned for
june.
jinja2:
+ I have continued my triage work regarding CVE-2019-10906 and
CVE-2016-10745. After some discussion with the security team we decided
to mark it no-dsa.
liblivemedia:
+ Raised upstream's attention on CVE-2019-7732 and CVE-2019-7733. This
resulted in upstream rejecting CVE-2019-7732 and patching
CVE-2019-7733. I finally marked CVE-2019-7733 no-dsa.
faad2:
+ Lots of triage work after last update.
+ Prepare patches for CVE-2018-20196 and submit them for upstream review.
Will be uploaded once merged, this month. See
https://github.com/knik0/faad2/pull/36
+ prepare, test and update a security update addressing CVE-2018-20362,
CVE-2018-20198, CVE-2018-20197 and CVE-2018-20194 (DLA-1791-1).
imagemagick:
+ First triage, contact Markus and Roberto concerning their previous
work on the matter.
+ Prepare a security update addressing CVE-2019-9956, CVE-2019-11598,
CVE-2019-11597 and CVE-2019-10650 (DLA 1785-1).
Backporting these patches was a lot of work. I discovered multiple
issues in upstream's patches and struggled to explain why the
CVE-2019-11597 pocs were still affecting jessie after applying
upstream's patches. It turned out that the upstream's initial patches
were insufficient...
graphicsmagick:
+ prepare, test and upload a security update addressing CVE-2019-11506,
CVE-2019-11505, CVE-2019-11474 and CVE-2019-11473 (DLA-1795-1).
+ find minor regressions in 1.3.20-3+deb8u6. Fixed them in DLA-1795-1.
wireshark:
+ prepare, test and upload a security update addressing CVE-2019-10903,
CVE-2019-10901, CVE-2019-10899, CVE-2019-10895 and CVE-2019-10894
(DLA 1802-1).
sysdig:
+ start to work on CVE-2019-8339, but did not have enough time this month
to fulfill my investigations.
libsdl2-image:
sdl-image1.2:
+ coordinate work with ELTS on CVE-2019-12221, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12222. See ELTS report.
misc:
+ various triage, see tracker's logs.
==================
Debian ELTS report
I was allocated 15 hours. I have spent all of them in the following
tasks:
wireshark:
+ prepare, test and upload a security update addressing CVE-2019-10895
and CVE-2019-10894 (ELA-118-1).
Backporting patches took a lot of time, but in the end it was worth it
because this work could be uploaded to both wheezy and jessie.
+ prepare, test and upload a second update fixing CVE-2019-12295 and
older vulnerabilities: CVE-2017-13767, CVE-2017-9345, CVE-2017-9352 and
CVE-2017-9617 (ELA-126-1).
+ fix inconsistencies in ELA-75-1.
tomcat7:
+ prepare, test and upload a security update addressing CVE-2019-0221
(ELA-124-1).
modsecurity-crs:
+ Investigate and get in touch with upstream regarding fixes. Finally
mark no-dsa, given that the impact on reverse dependencies is highly
negligible and patches rather complex.
libsdl1.2:
+ investigate CVE-2019-12221, CVE-2019-12219, CVE-2019-12220 and
CVE-2019-12222: should be ignored because they actually affects
libsdl2-image and sdl-image1.2, not libsdl2/libsdl1.2. The -image
part of the SDL library is EOL.
suricata:
+ Perform proper triage for currently open issues. Prepare and test a
security update addressing CVE-2019-10053 (not uploaded yet, but should
be done by tomorrow).
misc:
+ various triage, see tracker's logs.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
