Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18.5h.

My time was mostly spend on Front-Desk duties, as well as improving our scripts&docs.

Current vulnerabilities triage:

• CVE-2019-13117/libxslt CVE-2019-13118/libxslt: triage (affected, dla-needed)
• CVE-2019-12781/python-django: triage (affected)
• CVE-2019-12970/squirrelmail: triage (affected)
• CVE-2019-13147/audiofile: triage (postponed)
• CVE-2019-12493/poppler: jessie triage (postponed)
• CVE-2019-13173/node-fstream: jessie triage (node-* not supported)
• exiv2: jessie triage (5 CVEs, none to fix - CVE-2019-13108 CVE-2019-13109 CVE-2019-13110 CVE-2019-13112 CVE-2019-13114)
• CVE-2019-13207/nsd: jessie triage (affected, posponed)
• CVE-2019-11272/libspring-security-2.0-java: jessie triage (affected, dla-needed)
• CVE-2019-13312/ffmpeg: (libav) jessie triage (not affected)
• CVE-2019-13313/libosinfo: jessie triage (affected, postponed)
• CVE-2019-13290/mupdf: jessie triage (not-affected)
• CVE-2019-13351/jackd2: jessie triage (affected, postponed)
• CVE-2019-13345/squid3: jessie triage (2 XSS: 1 unaffected, 1 reflected affected, dla-needed)
• CVE-2019-11841/golang-go.crypto: jessie triage (affected, dla-needed)
• Call for triagers for the upcoming weeks

Past undermined issues triage:

• libgig: contact maintainer about 17 pending undetermined CVEs
• libsixel: contact maintainer about 6 pending undetermined CVEs
• netpbm-free - actually an old Debian-specific fork: contact original reporter for PoCs and attach them to BTS; CVE-2017-2579 and CVE-2017-2580 not-affected, doubts about CVE-2017-2581

Documentation:

• nodejs/node-* have no security support in Debian, plan better visibility (1) (2)
• reference mariadb in our list of test-suites

Tooling - bin/lts-cve-triage.py:

• filter out 'undetermined' but explicitely 'ignored' packages (e.g. jasperreports)
• fix formatting with no-colors output, hint that color output is available
• display lts' nodsa sub-states
• upgrade unsupported packages list to jessie