Debian LTS Logo

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

Yes, that changed since last month, as I was offered to work on ELTS :)

In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of 30 max) and 14h for ELTS (max).

Interestingly I was able to factor out some time between LTS and ELTS while working on vim and tomcat for both suites.

LTS - Jessie

  • squirrelmail: CVE-2019-12970: locate patch, refresh previous fix with new upstream-blessed version, security upload
  • vim: CVE-2017-11109, CVE-2017-17087, CVE-2019-12735: analyze and reproduce issues (one of them not fully exploitable), fix new and postponed issues, security upload
  • tomcat8: improve past patch to fix the test suite, report and refresh test certificates
  • tomcat8: CVE-2016-5388, CVE-2018-8014, CVE-2019-0221: requalify old not-affected issue, fix new and postponed issues, security upload

Documentation:

  • wiki: document good upload/test practices (pbuilder and lintian+debdiff+piuparts); request for comments
  • www.debian.org: import missing DLA-1810 (tomcat7/CVE-2019-0221)
  • freeimage: update dla-needed.txt status

ELTS - Wheezy

  • Get acquainted with the new procedures and setup build/test environments
  • vim: CVE-2017-17087, CVE-2019-12735: analyze and reproduce issues (one of them not fully exploitable), fix new and pending issues, security upload
  • tomcat7: CVE-2016-5388: requalify old not-affected issue, security upload

Documentation:

  • raise concern about missing dependency in our list of supported packages
  • user documentation: doc fix apt-key list -> apt-key finger
  • triage: mark a few CVE as EOL, fix-up missing fixed versions in data/ELA/list (not automated anymore following the oldoldstable -> oldoldold(!)stable switch)

While not part of Debian strictly speaking, ELTS strives for the same level of transparency, see in particular the Git repositories: https://salsa.debian.org/freexian-team/extended-lts