LTS report 2018-04-01 to 2018-04-30

This time period I used 10 hours.

Wheezy Package Support

For the project Wheezy Package Support, I used 10 hours in the following tasks:

• calibre
• ldap-account-manager
• patch
• python-crypto
• python-django
• rubygems

calibre

• Research 2018-7889.
• This is not security issue in itself, but could be used to trick users into importing data from untrusted sources.
• Upstream fix is to replace pickle format for exported book with json.
• See the calibre thread.
• metadata.db is a seperate issue that is not covered by 2018-7889.
• Followup on previous email.
• Followup on previous email.
• Consider moving package to not-supported list.
• Manually apply patch for CVE-2018-7889.
• Attempt to test patch for CVE-2018-7889.

ldap-account-manager

• Research security vulnerabilities.
• Prepare patched version for CVE-2018-8763.
• Review CVE-2018-8764, no patch required.
• Check get_rdn function for possible simplification.
• Check patch for completeness and find this may not be the case.
• Build and upload version for testing.
• Submit upstream bug report on incomplete fix for CVE-2018-8763.
• Update security tracker for CVE-2018-8763.
• Mark CVE-2018-8764 not-affected in wheezy due to no CSRF support.
• Upload fix for CVE-2018-8763.
• Publish advisory DLA-1342-1.
• See the ldap-account-manager thread.

patch

• Try to understand security patch.
• Posted message to debian-lst.

python-crypto

• Send updated DLA-1283-2 for advisory for CVE-2018-6594.
• See the python-crypto thread for details.
• Update security tracker entry for CVE-2018-6594.

python-django

• Upload fixed versions to Stretch and Jessie.
• Work carried out last month.

rubygems

• CVE-2018-1000074.
• See the rubygems thread 1.
• See the rubygems thread 2.
• Followup on response to debian-lts.
• Update dla-needed.txt.
• Mark package as no-dsa for wheezy.