Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.
In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18.5h.
My time was mostly spend on Front-Desk duties, as well as improving our scripts&docs.
Current vulnerabilities triage:
- CVE-2019-13117/libxslt CVE-2019-13118/libxslt: triage (affected, dla-needed)
- CVE-2019-12781/python-django: triage (affected)
- CVE-2019-12970/squirrelmail: triage (affected)
- CVE-2019-13147/audiofile: triage (postponed)
- CVE-2019-12493/poppler: jessie triage (postponed)
- CVE-2019-13173/node-fstream: jessie triage (node-* not supported)
- exiv2: jessie triage (5 CVEs, none to fix - CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114)
- CVE-2019-13207/nsd: jessie triage (affected, posponed)
- CVE-2019-11272/libspring-security-2.0-java: jessie triage (affected, dla-needed)
- CVE-2019-13312/ffmpeg: (libav) jessie triage (not affected)
- CVE-2019-13313/libosinfo: jessie triage (affected, postponed)
- CVE-2019-13290/mupdf: jessie triage (not-affected)
- CVE-2019-13351/jackd2: jessie triage (affected, postponed)
- CVE-2019-13345/squid3: jessie triage (2 XSS: 1 unaffected, 1 reflected affected, dla-needed)
- CVE-2019-11841/golang-go.crypto: jessie triage (affected, dla-needed)
- Call for triagers for the upcoming weeks
Past undermined issues triage:
- libgig: contact maintainer about 17 pending undetermined CVEs
- libsixel: contact maintainer about 6 pending undetermined CVEs
- netpbm-free - actually an old Debian-specific fork: contact original reporter for PoCs and attach them to BTS; CVE-2017-2579 and CVE-2017-2580 not-affected, doubts about CVE-2017-2581
Documentation:
- nodejs/node-* have no security support in Debian, plan better visibility (1) (2)
- reference mariadb in our list of test-suites
Tooling - bin/lts-cve-triage.py:
- filter out 'undetermined' but explicitely 'ignored' packages (e.g. jasperreports)
- fix formatting with no-colors output, hint that color output is available
- display lts' nodsa sub-states
- upgrade unsupported packages list to jessie