In February I had requested to join the Debian LTS project, which extends the security support for past Debian releases, as a paid contributor.
Kuddos to Freexian for pulling this project out.
I was asked to demonstrate a full security update on my own (non paid) which I did with 2 DLAs (Debian LTS Advisory):
- freedink-dfarc: jessie-security update, applying my own path traversal security fix
- phmyadmin: jessie-security update, assessing 1 CVE as not affected and fixing another
Incidentally, every Debian Developer can make a direct security upload to jessie-security without prior validation (just follow the guide).
-
Following the spirit of transparency that animates Debian and Debian Security, here's my report for my first paid month.
In March, the monthly sponsored hours were split evenly among contributors depending on their max availability.
I got 29.5h, which I spent on:
- nettle/gnutls: investigate local side-channel attack and conclude no-dsa / minor issue
- symfony: helped test Roberto's update
- sqlalchemy: jessie-security update for SQL injection, tested and discussed upstream's own backported patch
- glib2.0: investigate denial of service and mark as no-dsa / no reproducible
- ghostscript: investigate sandbox break and (lack of) test suite, and conclude we'll backport the next upstream release
- pdns: jessie-security update for the 'remote' backend
- Fixes/updates in dla-needed.txt, our (public) list of triaged security issues
- Fixes in LTS wiki, templates and scripts, in particular wrt https://www.debian.org/lts/security/ integration
If you'd like to know more about LTS security, I recommend you check:
- https://salsa.debian.org/security-tracker-team/security-tracker: public Git repository for the Debian Security and Debian LTS teams
- https://lists.debian.org/debian-lts/: Debian LTS users and contributors discussions