In November 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.
For LTS, I, in fact, pulled over 1.7 hours from October, so I realy only did 13.3 hours for LTS in November.
(This is only half-true, I worked a considerable amount of hours on this libvncserver code bundle audit, but I am just not invoicing all of it).
LTS Work
- Triage jhead, libapache2-mod-auth-openidc, mailutils, python-psutil, ruby-rack-cors during (actually one day after, in coordination with Thorsten Alteholz) my first LTS frontdesk week this month.
- Triage asterisk, gnome-font-viewer, gnome-sushi, libjackson-json-java, proftpd-dfsg during my second week at LTS frontdesk this month. I also triaged nss and sqlite3 as part of my ELTS work (which dla-needed.txt benefitted from indirectly).
- Provide a .debdiff for italc/stretch (3.0.3+dfsg1-1+deb9u1) to the Debian Security Team (feeback still pending)
- Triage libvncserver issues in vino, provide a patch for vino/unstable (see Debian bug #945784 [1])
- Upload to jessie-security: vino (DLA-2014-1 [2]), 3 CVEs
- Upload to experimental: libvncserver 0.9.12-1 and 0.9.12-2, 1 CVE fixed, adopt the package, resurrect libvncserver.git on Salsa, give the package some love before uploading [3,4]
- Triage libvncserver (actually: libvncclient) issues in ssvnc and work on patches for this old VNC client code base
- Upload to jessie-security: ssvnc (DLA-2016-1 [5]), 4 CVEs
- Notify the ssvnc maintainer about newly discovered vulnerabilities (see Debian bug #945827).
- Provide .debdiff patches for libvncserver/stretch (0.9.11+dfsg-1.3~deb9u2) and libvncserver/buster (0.9.11+dfsg-1.3+deb10u1) to the Debian Security Team (feedback still pending)
- Sponsor-upload to jessie-security: 389-ds-base (DLA-2004-1), on behalf of Utkarsh Gupta
- Sponsor-upload to jessie-security: tnef (DLA-2005-1), on behalf of Utkarsh Gupta
- Upload to jessie-security: nss (DLA-2015-1 [6]), 1 CVE
ELTS Work
- Triage nss (affected by CVE-2019-17007) and sqlite3 (not affected by CVE-2019-19242, CVE-2019-19244)
- Upload to wheezy-security: nss (ELA-197-1 [7]), 1 CVE
References
- [1] https://bugs.debian.org/945784
- [2] https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html
- [3] https://salsa.debian.org/debian-remote-team/libvncserver/commit/177810f7...
- [4] https://salsa.debian.org/debian-remote-team/libvncserver/commit/70a5fe09...
- [5] https://lists.debian.org/debian-lts-announce/2019/11/msg00033.html
- [6] https://lists.debian.org/debian-lts-announce/2019/11/msg00034.html
- [7] http://deb.freexian.com/extended-lts/updates/ela-197-1-nss/