Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) project, which extends the security support for past Debian releases, as a paid contributor.

In May, the monthly sponsored hours were split evenly among contributors depending on their max availability - I declared max 30h and got 18h.

  • firefox-esr: jessie-security update, security-ish issue with modules signing authority, backporting stretch's
  • CVE-2018-19969/phpmyadmin: attempt backporting the 49 patches and decide against it since they merely mitigate the CSRF issues but certainly break the testsuite
  • CVE-2018-20839/systemd: attempt to reproduce issue in Jessie, conclude no-dsa due to non-reproducibility and regressions introduced by the patch
  • CVE-2019-2697/openjdk-7: triage (sync with previous uploaders, conclude "not-affected")
  • CVE-2019-0227/axis: triage (clarify SSRF situation, sync with packager, conclude "unfixed")
  • dns-root-data: discuss potential update, conclude not relevent due to no reverse dependencies
  • gradle, kdepim: update triage info

Incidentally, last month I mentioned how regularly updating a 19MB text file caused issues in Git - it appears it's even breaking salsa.debian.org! Sadly conversation between involved parties appears difficult.

If you'd like to know more about LTS security, I recommend you check: