July was the third month I contributed to Debian LTS under the Freexian umbrella. In total I spent eight hours working on:
lighttpd: Fixed CVE-2014-3566 by adding a option to disable SSLv3 (ssl.use-sslv3) compatible with the option added to newer versions. This resulted in DLA-282-1.
nss: research on CVE-2015-2730 and CVE-2015-2721. Work on the former is still ongoing since the bug#1125025 referenced in the mozilla advisory has restricted access and I did not manage to get it opened yet. I found commits in uptream's mercurial that reference the bug though and the comitter was nice enough to answer questions.
The backported changes for CVE-2015-2721 involve lots of changes to the internal state machine when accepting SSL connections so I'm currently looking into backporting the test suite for that on non LTS time.
Besides that I did CVE triaging of 11 CVEs to check if and how they affect oldoldstable security as part of my LTS front desk work.
