My Work on Debian LTS/ELTS (December 2018)

In December 2018, I have worked on the Debian LTS project for 21 hours and on the Debian ELTS project for 5 hours as a paid contributor. The originally planned 11 LTS hours (one hour carried over from November) had been extended to 21 hours. Of the originally planned 6 ELTS hours I carry over one hour to January 2019.

LTS Work

  • Fix several CVE issues in libav (DLA-1611-1 [1a] and DLA-1611-2 [1b]).
  • Fix the Magellan vulnerability in sqlite3 (DLA-1631-1 [2]).
  • Regression fix of poppler (DLA-1562-3 [3])
  • Involve FreeRDP upstream into fixing FreeRDP v1.1 in Debian jessie (esp. big thanks to Bernhard Miklautz for giving feedback).
  • Port FreeRDP CVE fixes over from Ubuntu [4].
  • Backport RDP v6 proto code and CredSSP v3 code from FreeRDP upstream commits to Debian jessie's (and stretch's) FreeRDP v1.1 [5].
  • An upload of a fixed FreeRDP v1.1 (both jessie and stretch) can be expected for January 2019. This work will be co-ordinated with the Debian stable release team [6] (feedback is still pending).


  • Setup test and build environment for Debian wheezy ELTS.
  • Give feedback on problems when installing Debian wheezy from scratch (although this makes rarely sense for most scenarious, it might help future ELTS developers).
  • Research on the Magellan vulnerability in Debian wheezy's sqlite3 [7] and request a second pair of eyes to look at sqlite3 in Debian wheezy (it might not be affected by it). The sqlite3 fix for Debian jessie (DLA-1613-1 [2]) was a zero-extra-effort outcome of this research.

Thanks to all LTS/ELTS sponsors for making these projects possible.