In March 2020, I have worked on the Debian LTS project for 10.25 hours (of 10.25 hours planned).
LTS Work
- Frontdesk: CVE Bug Triaging for Debian jessie LTS: libpam-krb5, symfony, edk2 (EOL), icu, twisted, yubikey-val, netkit-telnet(-ssl), libperlspeak-perl (new EOL). and glibc.
- Upload to jessie-security: tinyproxy (DLA-2163-1 [1], 1 CVE, 1 severe bug [2]).
- Revisit CVE-2015-9541 in jessie's qtbase-opensource-src and agree with Dmitry Shachnev from Debian's KDE/Qt Team about tagging this CVE '<ignored>' in Debian's security tracker. The proposed upstream patch uses an API not available in jessie's Qt5 version (QStringView API) and the serious of patched ot be applied would be quite invasive.
- Prepare upload of libpam-krb5 4.6-3+deb8u1 (1 CVE) (will be uploaded during the day).
- Look closer into CVE-2019-17177 for FreeRDP v1.1 (and decide to ignore it, as patchwork would have to be applied all over the code).
Other security related work for Debian
- Upload to stretch: libvncserver 0.9.11+dfsg-1.3~deb9u4 (1 CVE)
- Upload to buster: libvncserver 0.9.11+dfsg-1.3+deb10u3 (1 CVE)
- Upload to stretch: tinyproxy 1.8.4-3~deb9u2 (1 CVE, 1 severe bug [2])
- Upload to buster: tinyproxy 1.10.0-2+deb10u1 (1 severe bug)
- Study the code of x11vnc (regarding Debian bug #672435 [3], which currently has a temp-CVE), apply upstream's fix (which did not work) and ping upstream about possible other required patches in x11vnc and/or libVNC.
Credits
A very big thanks goes to Utkarsh Gupta, a colleague from the Debian LTS team, who sponsored all my uploads and who sent the DLA mails on my behalf, while I was (and still am) in self-induced GPG lockdown (I forgot to update my GPG public key in Debian's GPG keyring). Thanks, Utkarsh!