LTS report 2020-04-01 to 2020-04-30

Apr 22, 2020

LTS report 2020-04-01 to 2020-04-30

This time period I used 10 hours.

Jessie Package Support

For the project Jessie Package Support, I used 10 hours in the following tasks:

bluez
lua-cgi
ruby-rack
varnish
xcftools

bluez

Investiagate CVE-2020-0556.
New version has accept field in btd_profile that references the hog_accept function, which is patched. None of this exists in the old Jessie version.

lua-cgi

Mark package as not affected due to bug #954300.

ruby-rack

Create bug report against Django.
Attempt to patch CVE-2019-5086.
Send email to debian-lts mailing list.
Send email to oss-security mailing list.

varnish

Investigate CVE-2019-20637.
Suspect package in Jessie not vulnerable as cnt_recv() specifically deals with case where req->err_code is set.
Can’t be 100% sure of this.

xcftools

Research CVE-2019-5086 and CVE-2019-5087.
Investigate proposed solution for CVE-2019-5086.
Added findings to upstream bug report.

Comments

(C)opyright Brian May c385261bace85a6a8ce8494db7beb528d3213503 2023-12-01T09:30:43+11:00

Posted: Wed, 22 Apr 2020 00:00:00 +1000