LTS report for August 2018 - Abhijith PA

[Abhijith PA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


August 2018 was my 7th month as a Debian LTS paid contributor. I was
assigned 10 hours but I only able to do 5. I am carrying rest to next
month.

I have spent these hours on;

 * squirrelmail: Tested and fixed CVE-2018-14950 - 14955, a bunch of
XSS
   vulnerabilities. Thanks to Chris Lamb for uploading and releasing
   DLA[1]

 * libspring-security-2.0-java: CVE-2018-1258 only make impact when this
   package is used with libspring-java RELEASE 5.0.5 which we don't
   have in jessie. Thus it marked as not affecting.

 * dojo: Backported CVE-2018-15494. Thanks to Chris Lamb again for
   uploading and releasing DLA[2]

 * twig: ah, (twig delayed this report). Failed to reproduce the POC and
   after talking to upstream devs[3], decided to mark as not-affecting.


Regards.
Abhijith PA

[1] - https://lists.debian.org/debian-lts-announce/2018/08/msg00031.html
[2] - https://lists.debian.org/debian-lts-announce/2018/09/msg00002.html
[3] - https://github.com/twigphp/Twig/issues/2743#issuecomment-418817089
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluQKi8ACgkQhj1N8u2c
KO8G2Q//WaNaS9QgX2m+4qfJKPyQHyuhT6EOsNU7XT0ieKrYv3OEjft0azAvMppn
Bq8d2LaTLEWwclY8PRL2NlMHj5kMvbhOirGeGXMrC7M1TDEIirRfKQp3pE/yuDIJ
lps/sg4hHNn6ZDfyiZeYNNILo9pgdsOa5EjPwwhXOGKtBuPewQCFNA3+8x7SmBNK
NWaY7irkFh2qPiBpGYBKbOku1LkyBzXwoHbzqeuRMBBYcHmvm2mpSrdO9Sv9Uqkq
Pk1aVjJfN23ueBJ6kk96+bdKzbLaO5FZgsX6+DqI9QFMD7lmMavzvLrnIIlUL98g
NOJTly0VxiS7omaCK/0HyBx2/m/fdo0uAEj9Lnfgzwt+w0jfJ3ucIML69ei/mz8u
pwNkrrkz1tCnLQqfZgjCjGGsJoGTTBkmQ49wJ3plfL+cPBgkMZ/T8lRggRNRY3v7
jG6xqxWD2y2SItBhyzV4vVWST6HzxQcJF261CKCNAvLFy9dIhjzTqOVXjxvTPWuQ
x9aJr+0x7LQwSfsbV+30lvlP8g4y34bX2u1FzdEpRhbymD48WlmwuMJNVHOxKdhx
LMjjyXOPJCtcSi1jtkvvrb4jHrkOpI/ovkGwJZSPoU5FRJ58C9GB2CX2ld79vdED
6iE9JVEb8IW/x3fPO34RlLn8l04E4+BXhEuTdwR+PqkhLJuqF9k=
=RxjO
-----END PGP SIGNATURE-----