Hi, during November I worked 14 of the allocated 16.5 hours (11h + 5.5h from previous months) on LTS. During this time I did the following:
* libvorbis: Developed patches for CVE-2017-14632, CVE-2017-11333 (the later one needs a fix in sox (and other packages) too). I did not release a DLA yet since I was waiting for feedback from upstream (which does not seem to happen). So I contacted the security team so we can fix sid and the stable releases too in December. * Updated https://wiki.debian.org/LTS/Development#Triage_new_security_issues * Looked into openexr CVEs. It took me some time to reproduce CVE-2017-12596 since it didn't show up with either wheezy nor openexr git master. After using the version the initial reporter used and bisecting it turned out that this CVE was already addressed by the fix for another CVE in DLA-1083-1. CVE-2017-14988 was not worth a separate upload so tagged it as postponed. * Reworked report-vuln so it can produce the complete bug report and fire up the mailer to send it to the BTS. * Created a lts-bts script to contact maintainers about issues in LTS via the BTS instead of direct mails (no feedback so far on this). * Tested the libxml2 security update prepared by Thorsten Alteholz * Prepared and tested Thunderbird 52.5 packages based on Carsten's work for sid. This resulted on DLA-1199-1 (which was released in December). * Looked into swftools CVEs. After discussion with Moritz we'll likely turn it into a package with limited security support since there are many issues but it's mostly used as a build-dep in Debian. Cheers, -- Guido
