LTS:
e2fsprogs:
- Enabled the upstream tests during the build.
- Released DLA-3910-1, fixing CVE-2022-1304.
fcgiwrap:
- Discussed and documented that the CVE-2024-32004/git
regression does not affect <= bullseye.
ikiwiki-hosting:
- Discussed and documented that the CVE-2024-32004/git
regress
Hi everyone,
in October I worked on dnsmasq in bullseye, fixing
- CVE-2022-0934
- CVE-2023-28450
- CVE-2023-50387
- CVE-2023-50868
The last two patches fix the "keytrap" and "NSEC3" issue, which were quite
difficult to backport. I have also contacted the security researchers of the two
vulner
I've worked during September 2024 on the below listed packages, for
Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity!
php-horde-turba (DLA-3923-1)
Fixing an arbitrary object deserialization vulnerability in php-horde-
turb
During the month of October 2024 and on behalf of Freexian, I worked on the
following:
php7.4
--
Uploaded 7.4.33-1+deb11u6 and issued DLA-3920-1.
https://lists.debian.org/msgid-search/?m=zw20swdcj3zl6...@debian.org
* CVE-2022-4900: Setting the environment variable
PHP_CLI_SERVER_WORKER
LTS:
poppler:
- Confirmed that CVE-2020-18839 is a duplicate of CVE-2020-27778
- Released DLA-3620-1, fixing CVE-2020-23804 CVE-2022-37050 CVE-2022-37051
- PoCs for all 3 CVEs were confirmed to be present in the unfixed
version and fixed in the fixed version
krb:
- Released DLA-3626-1, fixing
Hi,
I am funded by Freexian SARL and thus reporting about my work in October
2023.
I reviewed the patch for CVE-2023-44487 in h2o backported by Anton
Gladky regarding the ABI break in the shared library. Here, the
difficulty arises from the need to add runtime state to an exported
structure (whic
Hi everyone,
In October I published the initial version of ftf (functional test framework)
and fixed many things thanks to Santiago's feedback. It is now published at
https://gitlab.com/lgarrett/ftf.
I also spent time continuing work on samba, triaging the remaining CVEs and
preparing an upd
I've worked during October 2023 on the below listed packages, for
Freexian LTS/ELTS [1]
Many thanks to Freexian and sponsors [2] for providing this opportunity!
ELTS:
firmware-nonfree - ELA-981-1
This was a contiunation of DLA-3596-1, which I've released in September,
this time for EL
During the month of October 2023 and on behalf of Freexian, I worked on the
following:
python-urllib3
--
Uploaded 1.24.1-1+deb10u1 and issued DLA-3610-1
https://lists.debian.org/msgid-search/?m=zsknlpfmnhu4q...@debian.org
* CVE-2018-25091: The fix for CVE-2018-20060 did not cover
I've worked during September 2023 on the below listed packages, for Freexian
LTS/ELTS [1]
Many thanks to Freexian and our sponsors [2] for providing this opportunity!
LTS
===
prometheus-alertmanager
---
I have released DLA 3609-1 following fixes from previous
Hi,
in October 2022, on behalf of Freexian and through my company velocitux
UG, I have worked on the following (E)LTS tasks:
ELA-717-1: freerdp
==
Finished the upload of the update for freerdp after quite tiresome
backporting activites. FreeRDP 1 is a challenging package, because
Hours worked:
40.5 hours
DLAs released:
DLA 2795 gpsd
CVE-2018-17937
DLA 2801 cron
CVE-2017-9525 CVE-2019-9704 CVE-2019-9705 CVE-2019-9706
DLA 2802 elfutils
CVE-2018-16062 CVE-2018-16402 CVE-2018-18310 CVE-2018-18520
CVE-2018-18521 CVE-2019-7150 CVE-2019-7665
DLA 2803 libsdl2
CVE-2017-2888 CVE
hi,
in October 2021 I spent 1h coordinating the hand-over of my activities to
Jeremiah:
- mail and irc communication, incl.
- coordinating with Jeremiah
- explaining stuff to Jeremiah
I expect this was my last month as an active LTS contributor for the immediate
future. (However for now I'v
Hi,
During the month of October, I spent 20.75h on LTS:
- investigated and addressed security-tracker corruption
- golang-go.crypto analysis and advice
- thunderbird 78 ESR update
- investigated and fixed thunderbird armhf build failure
- investigated thunderbird l10n bug report
- mariadb-10.1 a
Hours worked:
7 hours
DLAs released:
DLA-2422-1 qtsvg-opensource-src
CVE-2018-19869
DLA-2423-1 wireshark
CVE-2019-10894 CVE-2019-10895 CVE-2019-10896 CVE-2019-10899
CVE-2019-10901 CVE-2019-10903 CVE-2019-12295
DLA-2424-1 tzdata
new upstream version for DST changes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
October was my 32nd month as a Debian LTS paid contributor. I had a
total of 16 hours (14h assigned and 2h from last month). I've spent all of
them for the following,
* Front-desk duty from 05-10 to 11-10
* tinymce: Marked CVE-2019-1010091, CVE-
hi,
in October 2020 I spent 7h managing (E)LTS contributors:
- dispatching work hours for LTS and ELTS
- preparing and post-processing the monthly team meeting
- preparing the monthly Freexian blog post published on raphaelhertzog.com
- mail and irc communication, incl.
- semi-automatic unclaim
On Tue, Nov 12, 2019 at 11:03:17AM +0100, Sylvain Beucler wrote:
> I believe it's a matter of magnitude: the doc's example is about a 10%
> excess, while this was about a ~200% excess.
this, exactly.
> Coordination allows to average the workload and reactivity, for instance
> by adding more peopl
Hi,
On 10/11/2019 21:41, Brian May wrote:
> Holger Levsen writes:
>
>> then, just for the record, this was discussed with Raphael and me. Please
>> don't do more hours than assigned without coordination. See "What should
>> I do if I work more than the hours allocated?" in debian-lts.git for
>> m
Holger Levsen writes:
> then, just for the record, this was discussed with Raphael and me. Please
> don't do more hours than assigned without coordination. See "What should
> I do if I work more than the hours allocated?" in debian-lts.git for
> more info.
Huh? I don't see anything about requiri
Hi,
first: thanks for your work and the report, Emilio!
On Sun, Nov 10, 2019 at 11:07:02AM +0100, Emilio Pozuelo Monfort wrote:
> Since the hours spent on LTS were higher than my allotted time, my November
> hours will be used for that, as well as a few from ELTS, and I will work on
> the
> rema
Hi,
During the month of October I spent 72 hours on finishing the Firefox ESR 68
update. That update took so much time due to the necessary toolchain updates,
which included rust & cargo, LLVM, and GCC, and to several issues which were
encountered with some of those components and with some old ve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
October was my 20th month as a Debian LTS paid contributor. I had 14
hours assigned. Out of which I spent 8 hours and gave back rest to the
pool.
* novnc: Fixed CVE-2017-18635, tested and uploaded. DLA[1]
* libpcap: Fixed CVE-2019-15165, tested a
Hi,
For October, I spent 12h working on LTS on the rustc/cargo bootstrap My original
approach showed some problems, so I attempted to follow the approach taken for
stretch, reusing old packages from snapshot.debian.org. In the end that brought
its own set of problems due to those old packages depe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
October 2018 marked my 9th month as a Debian LTS paid contributor. I
had 14 hours of backlog, but due to some personal emergency situations
I couldn't spend much time. All I did was:
mupdf: marked CVE-2018-18662 as not affected.
libspring-java: Re
Hi,
Last month I only managed to work 7h on LTS, which I spent doing the following:
- db, db4.8, db4.7 security updates
- mysql-5.5 security update
- tzdata and libdatetime-timezone-perl updates
- CVE triaging
Cheers,
Emilio
For October I spent 11 hours on the following:
- imagemagick: prepared 8:6.7.7.10-5+deb7u18, covering CVE-2017-15277
and CVE-2017-15281
- nss: prepared 2:3.26-1+debu7u5, covering CVE-2017-7805
- tomcat7: prepared 7.0.28-4+deb7u16, covering CVE-2017-12617
Regards,
-Roberto
--
Roberto C. S
In October I spent 10 hours, continuing from last month, on
graphicsmagick:
* Uploaded version1.3.16-1.1+deb7u10 with fixes for the following issues:
* Fix CVE-2017-14103: The ReadJNGImage and ReadOneJNGImage functions in
coders/png.c did not properly manage image pointers after certain erro
Hi,
October 2016 was my second month as a payed Debian LTS contributor.
I was allocated 12 hours. I have spent 12 hours doing the following tasks:
* Test and upload a security update for libav (0.8.18-0+deb7u1). Discussion
with upstream to get more point releases.
DLA: 644-1
Closed CVEs: C
September was my 5th month as a debian-lts contributor. I was
allocated 13 hours in addition to the 4.5 hours not used in the
previous month.
I used 7 hours in which I worked on the following:
* Was responsible for LTS frontdesk for two weeks triaging several
security issues and following up ev
For October I had available 14.75 hours. I spent them on the following
tasks:
* ghostscript: CVE-2013-5653, CVE-2016-7976, CVE-2016-7977,
CVE-2016-7978, CVE-2016-7979, CVE-2016-8602: I was able to use
Salvatore's debdiff from the jessie security update to prepare the
wheezy security update,
Hi,
In this month I was allocated 13h, which I spent doing the following:
- Finished the update I had started to libarchive
- Tested libxml2 packages
- Updated X11 packages (libx11, libxi, libxtst), fixing some regressions in the
security patches:
https://cgit.freedesktop.org/xorg/lib/libXi
32 matches
Mail list logo
