LTS report 2018-04-01 to 2018-04-30
LTS report 2018-04-01 to 2018-04-30
This time period I used 10 hours.
Wheezy Package Support
For the project Wheezy Package Support, I used 10 hours in the following tasks:
- calibre
- ldap-account-manager
- patch
- python-crypto
- python-django
- rubygems
calibre
- Research 2018-7889.
- This is not security issue in itself, but could be used to trick users into importing data from untrusted sources.
- Upstream fix is to replace pickle format for exported book with json.
- See the calibre thread.
- metadata.db is a seperate issue that is not covered by 2018-7889.
- Followup on previous email.
- Followup on previous email.
- Consider moving package to not-supported list.
- Manually apply patch for CVE-2018-7889.
- Attempt to test patch for CVE-2018-7889.
ldap-account-manager
- Research security vulnerabilities.
- Prepare patched version for CVE-2018-8763.
- Review CVE-2018-8764, no patch required.
- Check get_rdn function for possible simplification.
- Check patch for completeness and find this may not be the case.
- Build and upload version for testing.
- Submit upstream bug report on incomplete fix for CVE-2018-8763.
- Update security tracker for CVE-2018-8763.
- Mark CVE-2018-8764 not-affected in wheezy due to no CSRF support.
- Upload fix for CVE-2018-8763.
- Publish advisory DLA-1342-1.
- See the ldap-account-manager thread.
patch
- Try to understand security patch.
- Posted message to debian-lst.
python-crypto
- Send updated DLA-1283-2 for advisory for CVE-2018-6594.
- See the python-crypto thread for details.
- Update security tracker entry for CVE-2018-6594.
python-django
- Upload fixed versions to Stretch and Jessie.
- Work carried out last month.
rubygems
- CVE-2018-1000074.
- See the rubygems thread 1.
- See the rubygems thread 2.
- Followup on response to debian-lts.
- Update dla-needed.txt.
- Mark package as no-dsa for wheezy.