LTS report 2018-04-01 to 2018-04-30

This time period I used 10 hours.

Wheezy Package Support

For the project Wheezy Package Support, I used 10 hours in the following tasks:

  • calibre
  • ldap-account-manager
  • patch
  • python-crypto
  • python-django
  • rubygems

calibre

  • Research 2018-7889.
  • This is not security issue in itself, but could be used to trick users into importing data from untrusted sources.
  • Upstream fix is to replace pickle format for exported book with json.
  • See the calibre thread.
  • metadata.db is a seperate issue that is not covered by 2018-7889.
  • Followup on previous email.
  • Followup on previous email.
  • Consider moving package to not-supported list.
  • Manually apply patch for CVE-2018-7889.
  • Attempt to test patch for CVE-2018-7889.

ldap-account-manager

  • Research security vulnerabilities.
  • Prepare patched version for CVE-2018-8763.
  • Review CVE-2018-8764, no patch required.
  • Check get_rdn function for possible simplification.
  • Check patch for completeness and find this may not be the case.
  • Build and upload version for testing.
  • Submit upstream bug report on incomplete fix for CVE-2018-8763.
  • Update security tracker for CVE-2018-8763.
  • Mark CVE-2018-8764 not-affected in wheezy due to no CSRF support.
  • Upload fix for CVE-2018-8763.
  • Publish advisory DLA-1342-1.
  • See the ldap-account-manager thread.

patch

python-crypto

  • Send updated DLA-1283-2 for advisory for CVE-2018-6594.
  • See the python-crypto thread for details.
  • Update security tracker entry for CVE-2018-6594.

python-django

  • Upload fixed versions to Stretch and Jessie.
  • Work carried out last month.

rubygems