Hi, September 2017 was my 13th month as a payed Debian LTS contributor.
I was allocated 15 hours. I have spent all of them doing the following tasks: * Continue to investigate lame CVEs. I have spent quite a lot of time trying to reproduce the CVEs, without success. Neverheless, I still think that the wheezy version could be affected. You can find a summary of my work here: https://lists.debian.org/debian-lts/2017/09/msg00082.html I am probably going to wait for 3.100 to decide whether I should mark these CVEs no-dsa or not. * Organise libav support in Debian LTS. libav LTS support has been quite infrequent since last year. I am currently discussing with Diego in order to guarantee a better handling of the 44 CVEs currently affecting libav in wheezy. * Debug, test and upload clamav update (DLA 1105-1) * Triage mp3gain CVEs and reproduce CVE-2017-14409/07. Again, issues seem to be hard to reproduce like the ones in lame (codebase is similar). Start to work on a patch but decide to stop (too time consuming, unclear whether I would get useful results or not). * Debug ming CVE-2017-11704 and start writing a patch addressing the issue: https://github.com/libming/libming/issues/76 This is quite time-consuming because CVE-2017-11704 is actually caused by several overflows in multiple methods. Reproduce CVE-2017-117{04, 28, 29, 30, 32, 34}. Best Regards, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E
signature.asc
Description: PGP signature
