Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In February, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 20h for LTS (out of 30 max; all done) and 8h for ELTS (out of 20 max; I did 7).

Security work is never completely isolated, typically my work on nodejs impacted jessie/stretch/buster, and my work on netty affected wheezy/jessie/stretch :)

ELTS - Wheezy

  • netty: refine prior triages, write minimal test server, adapt 3 fixes, security upload: ELA-214
  • Suggest redispatching hours from past month not given back in time, as team members only got 3.5h each; follow-up on the issue
  • Contribute to exchanges about supporting libgd2 (unsupported dependency of a supported package, an inconsistency we'll try to detect earlier)

LTS - Jessie

  • netty: refine prior triages, security upload DLA 2109-1
  • netty-3.9: identify duplicate package, fix prior vulnerabilities, security upload DLA 2110-1
  • nodejs: jessie/stretch/buster triage (3 CVEs), request access to not-yet-public hackerone reports
  • nodejs: clarify support status, reclassify open vulnerabilities on nodejs ecosystem as EOL (end-of-life) for jessie & stretch
  • http-parser: mark as affected by nodejs' CVE-2019-15605; jessie triage: ignored (invasive change with ABI breakage)
  • wordpress: precise my past triage (2 CVEs): postponed (serialization vulnerabilities related to PHP itself currently not addressed at application/wordpress level)
  • otrs2: security upload DLA 2118-1 (interestingly recent otrs2 is in non-free not due to licensing, but due to embedding specific versions of javascript dependencies)
  • CVE-2019-10784/phppgadmin: answer request for comment
  • xen: point out external support


  • TestSuites/netty: instruction on how to find, compile and adapt server examples
  • DLA-1993-1: update Debian website (was only published via mailing-list)
  • embedded-code-copies: reference http-parser embedded in nodejs
  • README.external-support: clean-up external support contact points