Due to a fire the data is not complete. This is data restored from git logs meaning it is far from complete.
Work done this month:
- Worked on php5
- Changed python-bleach CVE from not-affected to ignored. Salvatore pointed out that it was a wrong conclusion but the fix is too invasive in jessie.
- Marked three vulnerabilities for wireshark as postponed.
- CVE-2017-6363 marked as ignored for jessie following Debian Secutiry team.
- Added pure-ftpd to DLA needed. A little hard to judge the severity. The package is clearly vulnerable and the fix is really simple.
- Marked CVE-2020-6802 as not affected for jessie. The vulnerable functionality does not exist in this version.
- Added lua-cgi to the dla-needed list with a note that one possibility is to declare it unsupported.
- Added libspring-java to dla-needed with a note that it is not completely triaged. Will continue later.
- Adding rake to dla-needed.txt. Simple to fix.
- CVE-2020-9365 marked as not affected since the vulnerable function does not exist in the jessie version of pure-ftpd. Instead of the vulnerable pure_strcmp the regular strcmp is used in this version.
- ... and more see the secutiry tracker git