Here’s my (twenty-third) monthly but brief update about the activities I’ve done in the F/L/OSS world.
Tough month but I mostly spent on it churning through the immense backlog. But that somewhat backfired and I have even more backlog than ever. :D
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
- ruby3.0 (3.0.0-2) - Upload to unstable! \o/
- Mentoring for newcomers.
- Moderation of -project mailing list.
I mostly worked on different things, I guess. But mostly on packaging keylime and some Google Agents upload(s) and SRU(s). Also did a lot of reviewing, et al.
I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from next month onward, as I’ve been doing before. :D
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-third month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 23.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:
(however, I only worked for 23.75h on ELTS work, thereby, carrying the rest to next month)
LTS CVE Fixes and Announcements:
- Issued DLA 2743-1, fixing CVE-2017-5715, for amd64-microcode.
For Debian 9 stretch, these problems have been fixed in version 3.20181128.1~deb9u1.
- Issued DLA 2744-1, fixing the versioning issue, for usermode.
For Debian 9 stretch, these problems have been fixed in version 1.109-1+deb9u1.
- Issued DLA 2750-1, fixing CVE-2019-20421, CVE-2021-3482, CVE-2021-29457, CVE-2021-29473, CVE-2021-31291, and CVE-2021-31292, for exiv2.
For Debian 9 stretch, these problems have been fixed in version 0.25-3.1+deb9u3.
ELTS CVE Fixes and Announcements:
- Issued ELA 479-1, fixing CVE-2019-20421, CVE-2021-3482, CVE-2021-29457, CVE-2021-29473, CVE-2021-31291, and CVE-2021-31292, for exiv2.
For Debian 8 jessie, these problems have been fixed in version 0.24-4.1+deb8u6.
- Noticed that there’s a fallout of CVE-2021-3185, where an update was issued for gst-plugins-bad1.0, however, not for gst-plugins-bad0.10.
Thanks to Sylvain’s script, this came up and I prepped an update for that.
- Started to work on libjdom1-java’s regression.
Other (E)LTS Work:
- Front-desk duty from 26-07 until 01-08 and from 30-08 until 05-09 for both LTS and ELTS.
- Triaged haproxy, ntfs-3g, and cyrus-imapd, and exiv2, ffmpeg, git, gpac, inetutils, mc, modsecurity-crs, node-object-path, php-pear, systemd-cron, node-tar, ruby2.3, gst-plugins-bad0.10, jsoup, libxstream-java, qemu, tomcat7, ruby2.1, prototypejs, pillow, cpio, and qtbase-opensource-src, and amd64-microcode.
- Mark CVE-2021-39240/haproxy as not-affected for stretch and jessie.
- Mark CVE-2021-39241/haproxy as not-affected for stretch and jessie.
- Mark CVE-2021-39242/haproxy as not-affected for stretch and jessie.
- Mark CVE-2021-33582/cyrus-imapd as no-dsa for stretch.
- Mark CVE-2020-18771/exiv2 as no-dsa for exiv2 for stretch.
- Mark CVE-2020-18899/exiv2 as no-dsa for exiv2 for stretch.
- Mark CVE-2021-38171/ffmpeg as postponed for stretch.
- Mark CVE-2021-40330/git as no-dsa for stretch and jessie.
- Mark CVE-2020-19481/gpac as ignored for stretch.
- Mark CVE-2021-40491/inetutils as no-dsa for stretch.
- Mark CVE-2021-36370/mc as no-dsa for stretch and jessie.
- Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch.
- Mark CVE-2021-23434/node-object-path as end-of-life for stretch.
- Mark CVE-2021-32610/php-pear as no-dsa for stretch.
- Mark CVE-2017-9525/systemd-cron as no-dsa for stretch.
- Mark CVE-2021-37701/node-tar as end-of-life for stretch.
- Mark CVE-2021-37712/node-tar as end-of-life in stretch.
- Mark CVE-2021-3750/qemu as postponsed for jessie.
- Mark CVE-2021-27511/prototypejs as postponsed for jessie.
- Mark CVE-2021-23437/pillow as postponed for stretch and jessie.
- Auto EOL’ed gpac, cacti, openscad, cgal, cyrus-imapd-2.4, libsolv, mosquitto, atomicparsley, gtkpod, node-tar, libapache2-mod-auth-openidc, neutron, inetutils and linux for jessie.
- Drop cpio from ela-needed; open issues don’t warrant an ELA.
- Attended monthly Debian LTS meeting.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Until next time.
:wq for today.