LTS report 2020-04-01 to 2020-04-30

This time period I used 10 hours.

Jessie Package Support

For the project Jessie Package Support, I used 10 hours in the following tasks:

  • bluez
  • lua-cgi
  • ruby-rack
  • varnish
  • xcftools


  • Investiagate CVE-2020-0556.
  • New version has accept field in btd_profile that references the hog_accept function, which is patched. None of this exists in the old Jessie version.



  • Create bug report against Django.
  • Attempt to patch CVE-2019-5086.
  • Send email to debian-lts mailing list.
  • Send email to oss-security mailing list.


  • Investigate CVE-2019-20637.
  • Suspect package in Jessie not vulnerable as cnt_recv() specifically deals with case where req->err_code is set.
  • Can’t be 100% sure of this.


  • Research CVE-2019-5086 and CVE-2019-5087.
  • Investigate proposed solution for CVE-2019-5086.
  • Added findings to upstream bug report.