Here’s my (twenty-seventh) monthly but brief update about the activities I’ve done in the F/L/OSS world.
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
- ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.
- Mentoring for newcomers.
- Moderation of -project mailing list.
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from next year onward, as I was doing before. :D
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I’ll compensate the next month!)
LTS CVE Fixes and Announcements:
- Issued DLA 2844-1, fixing CVE-2021-44540 and CVE-2021-44543, for privoxy.
For Debian 9 stretch, these problems have been fixed in version 3.0.26-3+deb9u3.
- Issued DLA 2847-1, fixing CVE-2021-44858, for mediawiki.
For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1+deb9u11.
- Issued DLA 2853-1, fixing CVE-2021-41817 and CVE-2021-41819, for ruby2.3.
For Debian 9 stretch, these problems have been fixed in version 2.3.3-1+deb9u11.
- Issued DLA 2854-1, fixing CVE-2017-18635, for novnc.
For Debian 9 stretch, these problems have been fixed in version 1:0.4+dfsg+1+20131010+gitf68af8af3d-6+deb9u1.
- Issued DLA 2860-1, fixing CVE-2018-7750 and CVE-2018-1000805, for paramiko.
For Debian 9 stretch, these problems have been fixed in version 2.0.0-1+deb9u1.
- Issued DLA 2862-1, fixing CVE-2018-12020 and CVE-2019-6690, for python-gnupg.
For Debian 9 stretch, these problems have been fixed in version 0.3.9-1+deb9u1.
- Issued DLA 2864-1, fixing CVE-2017-1002201, for ruby-haml.
For Debian 9 stretch, these problems have been fixed in version 4.0.7-1+deb9u1.
- Issued DLA 2871-1, fixing CVE-2021-43818, for lxml.
For Debian 9 stretch, these problems have been fixed in version 3.7.1-1+deb9u5.
- Simultaneously, I’ve been working on rolling the samba update. Should happen the next month.
ELTS CVE Fixes and Announcements:
- Issued ELA 525-2, fixing CVE-2021-43527, for nss.
For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u15.
- Issued ELA 530-1, for systemd.
For Debian 8 jessie, these problems have been fixed in version 215-17+deb8u14.
- Issued ELA 531-1, fixing CVE-2021-41817 and CVE-2021-41819, for ruby2.1.
For Debian 8 jessie, these problems have been fixed in version 2.1.5-2+deb8u13.
- Issued ELA 533-1, fixing CVE-2018-12020, for python-gnupg.
For Debian 8 jessie, these problems have been fixed in version 0.3.6-1+deb8u2.
- Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
- Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I’ve talked to Anton to work something out. \o/
- Found the problem w/ libjdom1-java. Will have to roll the regression upload.
I’ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.
Other (E)LTS Work:
- Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
- Triaged ffmpeg, git, gpac, inetutils, mc, modsecurity-crs, node-object-path, php-pear, systemd-cron, node-tar, ruby2.3, gst-plugins-bad0.10, npm, nltk, request-tracker4, ros-ros-comm, mediawiki, ruby2.1, ckeditor, ntfs-3g, tiff, wordpress, and jsoup, udisks2, libgit2, python3.5, python3.4, and openssh.
- Mark CVE-2021-38171/ffmpeg as postponed for stretch.
- Mark CVE-2021-40330/git as no-dsa for stretch and jessie.
- Mark CVE-2020-19481/gpac as ignored for stretch.
- Mark CVE-2021-40491/inetutils as no-dsa for stretch.
- Mark CVE-2021-36370/mc as no-dsa for stretch and jessie.
- Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch.
- Mark CVE-2021-23434/node-object-path as end-of-life for stretch.
- Mark CVE-2021-32610/php-pear as no-dsa for stretch.
- Mark CVE-2017-9525/systemd-cron as no-dsa for stretch.
- Mark CVE-2021-37701/node-tar as end-of-life for stretch.
- Mark CVE-2021-37712/node-tar as end-of-life in stretch.
- Mark CVE-2021-39201/wordpress as not-affected for jessie.
- Mark CVE-2020-19143/tiff as not-affected for stretch and jessie.
- Mark CVE-2021-38562/request-tracker4 as no-dsa for stretch.
- Mark CVE-2021-37146/ros-ros-comm as no-dsa for stretch.
- Mark CVE-2021-28965/ruby2.1 as ignored for jessie.
- Mark CVE-2021-37714/jsoup as ignored for jessie.
- Mark CVE-2021-41617/openssh as no-dsa for jessie.
- Auto EOL’ed ardour, nltk, request-tracker4, python-scrapy, webkit2gtk, and linux for jessie.
- Attended monthly Debian LTS meeting.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Debian LTS Survey
I’ve spent 5 hours on the LTS survey on the following bits:
- Went through the old content on the previous survey.
- Reviewed the new content - still more work to do.
- Discussed the survey bits in the team meeting.
- Partly reviewing the questions of the survey.
- Walking through the instance to find the doability of the tasks discussed in the meeting.
- Segregating and staging questions. More work to do here.
Until next time.
:wq for today.