In October 2019, I have worked on the Debian LTS project for 11.75 hours (of 11.75 hours planned) and on the Debian ELTS project for 0 hours (of 5 hours planned) as a paid contributor. I have given back those 5 ELTS hours to the pool.
LTS Work
- Work on a pre-OpenSSL-1.0.2 patch, adding hostname validation support to imapfilter as found in Debian jessie (built against OpenSSL 1.0.1t) [1]
- File a Github PR against imapfilter upstream that got OpenSSL versioned #ifdef'ed code sections straight [2]
- upload imapfilter 2.5.2-2+deb8u1 to jessie-security (DLA-1976-1 [3], 1 CVE)
- upload libvncserver 0.9.9+dfsg2+deb8u6 to jessie-security (DLA-1977-1 [4], 1 CVE)
- do a security audit of libvncserver-derived packages in Debian [5]
- upload italc 1:2.0.2+dfsg1-2+deb8u1 to jessie-security (DLA-1979-1 [6], 21 CVEs)
In fact, preparing the italc security upload needed more time (an extra of 1.7h) than available for my LTS work in October. In my mind, I will move over these 1.7h to November and invoice them then.
In November, I plan to follow-up on the VNC security audit and prepare several VNC related package uploads to Debian jessie LTS. I will also work on package .debdiff patches for package versions in stretch, buster and unstable.
As a first action, I will likely NMU-upload a new upstream release of libvncserver to unstable the coming week [7].
ELTS Work
- I did not do any ELTS work in October 2019.
References
- [1] https://github.com/lefcha/imapfilter/pull/202
- [2] https://github.com/lefcha/imapfilter/files/3788731/CVE-2016-10937_OpenSS...
- [3] https://lists.debian.org/debian-lts-announce/2019/10/msg00040.html
- [4] https://lists.debian.org/debian-lts-announce/2019/10/msg00039.html
- [5] https://lists.debian.org/debian-lts/2019/10/msg00094.html
- [6] https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- [7] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918777