-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 May 2019 was my 16th month as a Debian LTS paid contributor. I was assigned 14 hours plus 10 hours carried from last month. I spent 17 hours for the following.
* jruby: was FTBFS for long time in jessie due to openjdk security uploads. Able to find an old patch[1] from openjdk mailing list to fix FTBFS. Marked CVE-2018-1000073 as not-affected and fixed remaining 10 vulnerabilities and issued dla[2] (CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324 CVE-2019-8325) * tomcat7: CVE-2019-0221 is a very minor issue. tomcat7 was FTBFS in jessie similar to jruby. Fixed,tested and released dla[3] * wordpress: Two RCE vulnerabilities CVE-2019-8942 & CVE-2019-8943 were published by Ripstech. CVE-2019-8942 fixed in the last update of wordpress (previous month) though CVE-2019-8943 kept as it is. The 4.1.x branch in jessie getting updates[4] for it in every 4,5 months upstream. If new update come for CVE-2019-8943 it will be backported. Though with CVE-2019-8942 fix, CVE-2019-8943 is non- exploitable[5] to an extend as former plays an important role. * ruby-omniauth: CVE-2015-9284 haven't fixed upstream. The rails community created a new gem omniauth-rails_csrf_protection[6] to address this issue. This vulnerability is actively being discussed in its github issue[6]. I don't see any meaningful reverse dependency for ruby-omniauth in jessie. So it has less priority for now. * tomcat8: is also affected by CVE-2019-0221 and is currently in FTBFS due to couple of test failures. Started investigating that and will upload in coming days. Regards Abhijith PA [1] - https://github.com/jruby/jruby/commit/e9a01086b0c6e37762628806854ca9b28e6f5540 [2] - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html [3] - https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html [4] - https://wordpress.org/download/releases/ [5] - https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-wordpress-remote-code-execution-vulnerabilities-cve-2019-8942-and-cve-2019-8943/ [6] - https://github.com/cookpad/omniauth-rails_csrf_protection -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlz0+RoACgkQhj1N8u2c KO/RLA/9H7QI3sUTSi1FwbdW1ArKAVZpZnjSh1lGvI5P+x/DhFL66GpWtgbhW3/4 q6YWhKvPcgb3+OXZsz1PIOu8/aMcA4tCi+FCmjfV4gPrCqhafpmPOXJ6+XY4kyJG w4yNPq7ap85TcXVQJJ15X2aR560BkEefx7b3e8TTnC/d8jjvO4cx+6yCsX4k9C8Z 2opgp9+fIX0+78Dz1U1M2ha+uka33gHnrLnPNr3E+eTYSa6B8084Hn2GcFF7Z6Y1 ogLLd6SWkZZDxuYJ/ZEPbKOES1pIobIMnP0X2vdfyGlZ5RUoMyiDsIcqKV8xGB4r MEVbB2UfgNehbfD8QggfhGNHumOZ5LSWkp+98XlWN7cYZ/JSgoVqX03zKtl992PT Z7e/xIOYyYmm5T/SWjf4ROQwOu2MA6Hv85j0tlhileXflIbq1tfQAa/cdtDey8W0 rx6DsfPfVADytT7omRPwXm7OrkRqynFkbUlxCIEM2yGtkiymtSQuz0MEKiSZd8e3 +QmFblBI65Kz2y1tEOuk4ZR9eMyeq25JSuMhrKZlzZ/ruKj/6Lh05qjsBMI/xSjd 3np4Xp7hBisCkdRycxeuJ/ieCPhjj73AsqNe0iQIPsk0bpXS8NYeqiHSpgZmy94B uww3y0CnAnLytMG/iT5HbtNHfhPCKq1fGcRU3ETreh3qa9W6oM0= =alT6 -----END PGP SIGNATURE-----
