In September 2019, I have worked on the Debian LTS project for 11 hours (of 12 hours planned) and on the Debian ELTS project for another 2 hours (of 12 hours planned) as a paid contributor. I have given back the 10 ELTS hours, but will keep the 1 LTS hour and move it over to October. As I will be gone on family vacation during two weeks of Octobre I have reduced my workload for the coming months accordingly (10 hours LTS, 5 hours ELTS).
LTS Work
- Patch review on qemu (regarding DLA-1927-1)
- Perform regression tests on previous LTS uploads of 389-ds-base (see [1,2] for results/statements)
- Upload netty 3.2.6.Final-2+deb8u1 to jessie-security (DLA-1941-1 [3]), fixing 1 CVE
- Triage nghttp2, probably not affected by CVE-2019-9511 and CVE-2019-9513. The code base is really different around the passages where the fixing patches have been applied by upstream. I left a comment in dla-needed.txt plus asked for a second opinion. [4]
- Go over all 2019 LTS announcements in the webwml.git repository and ping LTS team members (including myself) on missing webwml DLAs.
- Upload phpbb3 3.0.12-5+deb8u4 to jessie-security (DLA-1942-1 [5]), fixing 1 (or 2) CVE(s). Regarding the phpbb3 upload, Sylvain Beucler and I are currently discussing [6] whether CVE-2019-13376 got actually fixed with this upload or not. There will be some sort of follow-up announcement on this matter soon.
ELTS Work
- Upload netty 3.2.6.Final-2+deb7u1 to wheezy-lts (ELA-168-1 [7]), fixing 1 CVE
References
- [1] https://lists.debian.org/debian-lts/2019/09/msg00036.html
- [2] https://lists.debian.org/debian-lts/2019/09/msg00037.html
- [3] https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html
- [4] https://salsa.debian.org/security-tracker-team/security-tracker/commit/5...
- [5] https://lists.debian.org/debian-lts-announce/2019/09/msg00036.html
- [6] https://lists.debian.org/debian-lts/2019/10/msg00011.html
- [7] https://deb.freexian.com/extended-lts/updates/ela-168-1-netty/