FOSS Activites in August 2023

Here’s my (forty-seventh) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 56th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

There’s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:

Uploads

Others

  • Mentoring for newcomers.
  • Bug work and debugging issues for ccextractor.
  • Sponsored the upload of blueman for Christopher Schramm.
  • DebConf Bursary work w/ bursary lead hat on.
  • Helping DebConf orga w/ other things as DebConf is around the corner.
  • Moderation of -project mailing list.

A huge thanks to Freexian for sponsoring my Debian work. :D


Ubuntu

This was my 31st month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D


Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).

This was my forty-seventh month as a Debian LTS and thirty-fourth month as a Debian ELTS paid contributor.
I worked for 12.25 hours for LTS and 72.50 hours for ELTS.

LTS Work:

ELTS Work:

  • Issued ELA 920-1, fixing CVE-2021-23445, for datatables.js.
    For Debian 9 stretch, these problems have been fixed in version 1.10.13+dfsg-2+deb9u1.
  • Issued ELA 924-1, fixing CVE-2023-20867, for open-vm-tools.
    For Debian 8 jessie, these problems have been fixed in version 2:9.4.6-1770165-8+deb8u1.
    For Debian 9 stretch, these problems have been fixed in version 2:10.1.5-5055683-4+deb9u4.
  • Issued ELA 925-1, fixing CVE-2023-38408, for openssh.
    For Debian 8 jessie, these problems have been fixed in version 1:6.7p1-5+deb8u9.
    For Debian 9 stretch, these problems have been fixed in version 1:7.4p1-10+deb9u8.
  • Issued ELA 935-1, fixing CVE-2022-40982, CVE-2022-41804, and CVE-2023-23908, for intel-microcode.
    For Debian 8 jessie, these problems have been fixed in version 3.20230808.1~deb8u1.
    For Debian 9 stretch, these problems have been fixed in version 3.20230808.1~deb9u1.
  • Issued ELA 936-1, fixing CVE-2023-27539, for ruby-rack.
    For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u5.
  • Issued ELA 937-1, fixing CVE-2023-20197, for clamav.
    For Debian 8 jessie, these problems have been fixed in version 0.103.9+dfsg-0+deb8u1.
    For Debian 9 stretch, these problems have been fixed in version 0.103.9+dfsg-0+deb9u1.

Other (E)LTS Work:

  • Triaged ruby-rack, rails, intel-microcode, datatables.js, open-vm-tools, openssh, clamav, flac, tiff, trafficserver, freeimage, python2.7, c-ares, batik, busybox, cacti, etcd, gnome-gmail, horizon, iotjs, libcrypto++, libsass, mupdf, nasm, opensc, qemu, qtsvg-opensource-src, poppler, tryton-server, wireshark, unrar-nonfree, rar, json-c, and openssl.
  • Mark CVE-2009-1143/open-vm-tools as ignored for buster, stretch, and jessie.
  • Mark CVE-2022-447{29,30}/batik as no-dsa for buster, stretch, and jessie.
  • Mark CVE-2022-48174/busybox as no-dsa for buster, stretch, and jessie.
  • Mark CVE-2022-41444/cacti as no-dsa for buster.
  • Mark CVE-2022-34038/etcd as no-dsa for buster.
  • Mark CVE-2020-24904/gnome-gmail as no-dsa for buster.
  • Mark CVE-2022-45582/horizon as no-dsa for buster.
  • Mark CVE-2020-24187/iotjs as ignored for buster.
  • Mark CVE-2023-38961/iotjs as ignored for buster.
  • Mark CVE-2022-48570/libcrypto++ as no-dsa for buster and stretch.
  • Mark CVE-2022-43358/libsass as no-dsa for buster.
  • Mark CVE-2020-21896/mupdf as no-dsa for buster.
  • Mark CVE-2022-29654/nasm as no-das for buster and stretch.
  • Mark CVE-2021-34193/opensc as no-dsa for buster.
  • Mark CVE-2022-36648/qemu as postponed for buster and stretch.
  • Mark CVE-2021-28025/qtsvg-opensource-src as no-dsa for buster and stretch.
  • Mark poppler CVEs as no-dsa for buster, stretch, and jessie.
  • Mark wireshark CVEs as no-dsa for buster and stretch.
  • Mark CVE-2023-20212/clamav as not-affected for buster and bullseye.
  • Mark CVE-2023-20212/clamav as not-affected for stretch and jessie.
  • Mark CVE-2023-27530/ruby-rack as ignored for stretch.
  • Mark CVE-2021-32292/json-c as not-affected for stretch and jessie.
  • Auto EOL’d exempi, nasm, audiofile, freeimage, graphicsmagick, oggvideotools, mupdf, libraw, linux, opensc, upx-ucl, libsass, radare2, qemu, cacti, horizon, hwloc, libcrypto++, wireshark, ansible, chromium, gerbv, rar, unrar-nonfree, python-pyramid, tryton-server.
  • Discussed about the ckeditor regression in stretch and jessie. Bastien kindly stepped up and rolled out a fix.
  • Helped with the runc and LXC discussions on the mailing list.
  • Pinged the customer about the modsecurity-crs bump.
  • Participated in samba discussion a bit.
  • Initiate the discussion about clamAV being EOL after 2 years and we’ll have to update to 1.0.x which pulls in Rust. :)
  • Helped Bastien w/ some runc vendoring bits.
  • Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
  • Participated and helped fellow members with their queries via private mail and chat.
  • General and other discussions on LTS private and public mailing list.
  • Attended the monthly LTS meeting.

Until next time.
:wq for today.