Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.
In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18h.
- firefox-esr: jessie-security update, security-ish issue with modules signing authority, backporting stretch's
- CVE-2018-19969/phpmyadmin: attempt backporting the 49 patches and decide against it since they merely mitigate the CSRF issues but certainly break the testsuite
- CVE-2018-20839/systemd: attempt to reproduce issue in Jessie, conclude no-dsa due to non-reproducibility and regressions introduced by the patch
- CVE-2019-2697/openjdk-7: triage (sync with previous uploaders, conclude "not-affected")
- CVE-2019-0227/axis: triage (clarify SSRF situation, sync with packager, conclude "unfixed")
- dns-root-data: discuss potential update, conclude not relevent due to no reverse dependencies
- gradle, kdepim: update triage info
Incidentally, last month I mentioned how regularly updating a 19MB text file caused issues in Git - it appears it's even breaking salsa.debian.org! Sadly conversation between involved parties appears difficult.
If you'd like to know more about LTS security, I recommend you check:
- https://salsa.debian.org/security-tracker-team/security-tracker: public Git repository for the Debian Security and Debian LTS teams
- https://lists.debian.org/debian-lts/: Debian LTS users and contributors discussions