LTS Report for April 2018 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 April 2018 was my third month as a Debian LTS paid contributor. I was assigned 10 hours but I only able to do 5. I am carrying rest to May. I have spent these hours on; * sharutils: Investigated on CVE-2018-197 and marked wheezy version as not-affected. (Wheezy version has a buffer size for shell process input) * drupal7: Backported CVE-2018-7602 on the same day of upstream disclosure :). Thanks to Emilio Pozuelo Monfort for uploading. [1] * ocaml: Initially backported CVE-2018-9838 but later marked as no-dsa to follow Debian-security team. Regards, Abhijith PA [1] https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrsOtAACgkQhj1N8u2c KO9CeQ/9Fyr6avFpd7lGsT7mhjm1hKNKI68jvpuQ8MeS+D0DA5QEHC7WilUYfHRa VNAKwkgHcmX998pYxw6X7XloNoeivkxiNXA1J+yESjcWYuEQ5vHn92YuHwvEF5Cl 9nXy6ZHBsyIvZVdL/9MwVBhUSePVo7JLWfCEwM4IFY7tVNY43zX8xLzgZCjnhP1p N+K7Z/GPt0kb2Bx5a8QnUL5w+DneUDfbQfgb58qBp5/8UefkUUupqD0uKtiIB1G0 HnI9BHnl/JZihR5X/L0P/HB/JpOc9K7WaNXH7C+P/bu6q4R8ed2kLSnR4aVLrS5Z SC891Go3z8BmNakBcbnATZyaW1ajMTdoaGd8m5VlMuCbVgvupIJ8THY0hhQ1/TAa UXKQmyAiqY+nhiFHZiU1jZ1muSI+WxjCRF/wJScLJLH3KM1WG4663BI47wWQ7Xdb JzAEnbIcWYPtd8QIWBTxHOlc3ejLgcRsSL5Tm1M5wwSha5lZGKA5cUAt3sR9W+ax heoGRi2/9HoqOgnwweN4u+6cPU+lkZViAW8Ak3Yo56wXoU45HyyV2g548CPjSIs3 7PC7rg0s7RmGkoQYjmf0h0E7GSQv8SEe0ZjoeOp7gCRkWXKx7Ku0bjdHM8oFIqZN EhNVnvy+Ek81RpSGAVIS1VdmAVuZ09C3UCRwmv/LK8J1uOqY/sY= =w2ZU -END PGP SIGNATURE-
LTS Report for April 2018
For April I spent 7 hours on the following: - gcc-4.9: after the determination was made that backporting the retpoline patches to gcc-4.6 was infeasible, work began on backporting gcc-4.9 from jessie; I encountered issues beyond my expertise and Ben Hutchings took this over and completed the work - apache2: determined that three open CVEs did not apply to the wheezy version of apache2; worked on backporting patches for CVE-2017-15710, CVE-2018-1301, and CVE-2018-1312; the patch for CVE-2018-1312 has been problematic because of incompatible changes made upstream on the 2.4 branch and the fact that upstream security support for 2.2 ended last year (I anticipate completing this in the next day or two) I also had a surplus of hours which I gave back. Regards, -Roberto -- Roberto C. Sánchez