This is the second month being part of the Debian Long Term Support team.
The following contributions were made:
- Correction of bash (DLA-680-1). Realized that there is a similar issue not described by the CVE and reported that in Debian bug #841856. However the decision was to not solve that problem as upstream did not think it was a problem in bash, but rather a problem in the suid software using system call.
- Correction of nspr (DLA-676-1). This is a mimic of the change in jessie-security. ABI compliance checked.
- Correction of nss (DLA-677-1). This is essentially a re-build of the jessie-security upload. ABI compliance checked and test suite run.
- Updated https://wiki.debian.org/LTS/Development based on instructions from Raphael.
- Investigated libass CVE-2016-7971. It looks like the problem is not a problem in libass, at least according to the thread upstream.
- Marked gcc-mingw-w64 and mingw32 as no-dsa for CVE-2016-4973. Compiler DoS is really not a security issue.