My Work on Debian LTS/ELTS (November 2019)

In November 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

For LTS, I, in fact, pulled over 1.7 hours from October, so I realy only did 13.3 hours for LTS in November.

(This is only half-true, I worked a considerable amount of hours on this libvncserver code bundle audit, but I am just not invoicing all of it).

LTS Work

  • Triage jhead, libapache2-mod-auth-openidc, mailutils, python-psutil, ruby-rack-cors during (actually one day after, in coordination with Thorsten Alteholz) my first LTS frontdesk week this month.
  • Triage asterisk, gnome-font-viewer, gnome-sushi, libjackson-json-java, proftpd-dfsg during my second week at LTS frontdesk this month. I also triaged nss and sqlite3 as part of my ELTS work (which dla-needed.txt benefitted from indirectly).
  • Provide a .debdiff for italc/stretch (3.0.3+dfsg1-1+deb9u1) to the Debian Security Team (feeback still pending)
  • Triage libvncserver issues in vino, provide a patch for vino/unstable (see Debian bug #945784 [1])
  • Upload to jessie-security: vino (DLA-2014-1 [2]), 3 CVEs
  • Upload to experimental: libvncserver 0.9.12-1 and 0.9.12-2, 1 CVE fixed, adopt the package, resurrect libvncserver.git on Salsa, give the package some love before uploading [3,4]
  • Triage libvncserver (actually: libvncclient) issues in ssvnc and work on patches for this old VNC client code base
  • Upload to jessie-security: ssvnc (DLA-2016-1 [5]), 4 CVEs
  • Notify the ssvnc maintainer about newly discovered vulnerabilities (see Debian bug #945827).
  • Provide .debdiff patches for libvncserver/stretch (0.9.11+dfsg-1.3~deb9u2) and libvncserver/buster (0.9.11+dfsg-1.3+deb10u1) to the Debian Security Team (feedback still pending)
  • Sponsor-upload to jessie-security: 389-ds-base (DLA-2004-1), on behalf of Utkarsh Gupta
  • Sponsor-upload to jessie-security: tnef (DLA-2005-1), on behalf of Utkarsh Gupta
  • Upload to jessie-security: nss (DLA-2015-1 [6]), 1 CVE


  • Triage nss (affected by CVE-2019-17007) and sqlite3 (not affected by CVE-2019-19242, CVE-2019-19244)
  • Upload to wheezy-security: nss (ELA-197-1 [7]), 1 CVE