Debian Long Term Support work 2016 October

This is the second month being part of the Debian Long Term Support team.

The following contributions were made:

  • Correction of bash (DLA-680-1). Realized that there is a similar issue not described by the CVE and reported that in Debian bug #841856. However the decision was to not solve that problem as upstream did not think it was a problem in bash, but rather a problem in the suid software using system call.
  • Correction of nspr (DLA-676-1). This is a mimic of the change in jessie-security. ABI compliance checked.
  • Correction of nss (DLA-677-1). This is essentially a re-build of the jessie-security upload. ABI compliance checked and test suite run.
  • Updated based on instructions from Raphael.
  • Investigated libass CVE-2016-7971. It looks like the problem is not a problem in libass, at least according to the thread upstream.
  • Marked gcc-mingw-w64 and mingw32 as no-dsa for CVE-2016-4973. Compiler DoS is really not a security issue.