LTS report 2020-04-01 to 2020-04-30
LTS report 2020-04-01 to 2020-04-30
This time period I used 10 hours.
Jessie Package Support
For the project Jessie Package Support, I used 10 hours in the following tasks:
- bluez
- lua-cgi
- ruby-rack
- varnish
- xcftools
bluez
- Investiagate CVE-2020-0556.
- New version has accept field in btd_profile that references the hog_accept function, which is patched. None of this exists in the old Jessie version.
lua-cgi
- Mark package as not affected due to bug #954300.
ruby-rack
- Create bug report against Django.
- Attempt to patch CVE-2019-5086.
- Send email to debian-lts mailing list.
- Send email to oss-security mailing list.
varnish
- Investigate CVE-2019-20637.
- Suspect package in Jessie not vulnerable as
cnt_recv()
specifically deals with case where req->err_code is set. - Can’t be 100% sure of this.
xcftools
- Research CVE-2019-5086 and CVE-2019-5087.
- Investigate proposed solution for CVE-2019-5086.
- Added findings to upstream bug report.