LTS report 2019-10-01 to 2019-10-31

This time period I used 10 hours.

Jessie Package Support

For the project Jessie Package Support, I used 10 hours in the following tasks:

  • golang
  • poppler
  • ruby-mini-magick
  • ruby-openid


  • Research issue.
  • Patch doesn’t apply automatically but could be applied by hand easily.
  • Patching tests might be harder. If actually required.
  • Mark CVE-2019-16276 as ignored, as already ignored in Stretch.


  • CVE-2019-9959
  • Create and test patch.
  • Send email to debian-lts mailing list.
  • Investigate CVE-2019-10871.
  • Update patch to set SPLASH_CMYK to solve CVE-2019-10871.
  • Upload fixed version 0.26.5-2+deb8u12 to jessie-security.
  • Post DLA-1963-1.
  • Add DLA-1963-1 to website.
  • Upload caused regression in xpdf.
  • Test and reproduce error.
  • Upload version 0.26.5-2+deb8u13 with fix for CVE-2019-10871 reversed.
  • Post DLA-1963-2.
  • Add DLA-1963-2 to website.


  • Further debugging of problem.


  • Create patch and post email to LTS mailing list.
  • Upload fixed version 2.5.0debian-1+deb8u1.
  • Reserve DLA-1956-1.
  • Post DLA-1956-1.
  • Add DLA-1956-1 to website.