My Work on Debian LTS/ELTS (December 2019)

In December 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

LTS Work

  • Triage 14 packages during my frontdesk week (tomcat7, tomcat8, lout, apache-log4j1.2, x2goclient (libssh regression), nethack, nethack, cyrus-sasl2, php5, libjpeg-turbo, transfig, ruby-rack, ruby-excon)
  • Upload to jessie-security: cyrus-sasl2 (DLA-2044-1 [1]), 1 CVE
  • Deeply dive into tightvnc CVE issue hunting and help matching various CVEs between src:libvncserver and src:tightvnc, digging out patches, etc.
  • Upload to jessie-security: tightvnc (DLA-2045-1 [2]), 9 CVEs
  • Upload to jessie-security: x2goclient (DLA-2038-2 [7]) (fixing a regression caused by a recent libssh security upload; see DLA_2038-1 / CVE-2019-14889) [3]
  • Ping DLange and ggings about getting the libssh regression regarding x2goclient fixed in Ubuntu (LTS) [4]
  • Ping the release team on security update status regarding CVE-2019-14889/libssh (bundled with an X2Go Client update) for stretch + buster.
  • NMU-upload (to DELAYED/10) tightvnc targetting Debian unstable [5]. Waiting for the former maintainer to ACK the NMU or re-do it himself. As tightvnc has been open for adoption for years now, I have started considering taking over QA maintenance under the umbrella of the Debian Remote Maintainers team.
  • Re-schedule tightvnc NMU-upload to DELAYED/0 after maintainer's ACK.
  • Prepare tightvnc security uploads for stretch + buster (waiting for the recent upload to arrive in unstable).


  • Upload to wheezy-security: cyrus-sasl2 (ELA-203-1 [5]), 1 CVE
  • Start backport two patches for tomcat7 (CVE-2019-12418 and CVE-2019-17563) and hand them over to the team's mailing list for continuation by another team member (because hours had been used up and I would have needed a second opinion anyway)

Other security related work for Debian

  • Upload to buster(-pu): libvncserver 0.9.11+dfsg-1.3+deb10u1, 1 CVE, two other patches
  • Upload to stretch(-pu): libvncserver 0.9.11+dfsg-1.3~deb9u2, 1 CVE, two other patches
  • Upload to buster(-pu): atril 1.20.3-1+deb10u1, 1 CVE, one other patch
  • Upload to buster(-pu): freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1, 1 CVE
  • Upload to experimental: libjpeg-turbo 1:2.0.3-1~exp1, 1 CVE (plus update security tracker about other CVEs fixed in experimental)

Updates (2019-12-22):

  • Add info about DLA-2038-2 for x2goclient upload to jessie LTS
  • Add section about other security related work in Debian related to my LTS work
  • Add info about rescheduled NMU of tightvnc/unstable.