FOSS Activites in December 2022
Here’s my (thirty-ninth) monthly but brief update about the activities I’ve done in the F/L/OSS world.
Debian
This was my 48th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/
There’s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
- Some DebConf work.
- Sponsoring stuff for non-DDs.
- Mentoring for newcomers.
- Moderation of -project mailing list.
Ubuntu
This was my 23rd month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).
This was my thirty-ninth month as a Debian LTS and thirtieth month as a Debian ELTS paid contributor.
I worked for 51.50 hours for LTS and 22.50 hours for ELTS.
LTS CVE Fixes and Announcements:
- Issued DLA 3224-1, fixing CVE-2020-8287, for http-parser.
For Debian 10 buster, these problems have been fixed in version 2.8.1-1+deb10u3. - Issued DLA 3225-1, fixing CVE-2022-46391, for awstats.
For Debian 10 buster, these problems have been fixed in version 7.6+dfsg-2+deb10u2. - Issued DLA 3227-1, fixing CVE-2022-32209, for ruby-rails-html-sanitizer.
For Debian 10 buster, these problems have been fixed in version 1.0.4-1+deb10u1. - Issued DLA 3228-1, fixing CVE-2021-3918, for node-json-schema.
For Debian 10 buster, these problems have been fixed in version 0.2.3-1+deb10u1. - Issued DLA 3229-1, fixing CVE-2022-21704, for node-log4js.
For Debian 10 buster, these problems have been fixed in version 4.0.2-2+deb10u1. - Issued DLA 3230-1, fixing CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, and CVE-2022-31160, for jqueryui.
For Debian 10 buster, these problems have been fixed in version 1.12.1+dfsg-5+deb10u1. - Issued DLA 3231-1, fixing CVE-2020-29394, CVE-2020-36244, and CVE-2022-31291, for dlt-daemon.
For Debian 10 buster, these problems have been fixed in version 2.18.0-1+deb10u1. - Inspected joblib’s security update upon Helmut’s investigation and see what went wrong there.
- Started to look at other set of packages: node-moment, tiff, ruby*, et al.
ELTS CVE Fixes and Announcements:
- Issued ELA 752-1, fixing CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, and CVE-2022-31160, for jqueryui.
For Debian 9 stretch, these problems have been fixed in version 1.12.1+dfsg-4+deb9u1. - Helped facilitate Erlang’s and RabbitMQ’s update; cf: ELA 754-1.
- Looked through python3.4’s FTBFS on armhf. Even diff’d with Ubuntu. No luck. Inspected the traces, doesn’t give a lot of hint either. Will continue to look later next month or so but it’s a rabbit hole. (:
- Inspected joblib’s security update upon Helmut’s investigation and see what went wrong there.
- Started to look at other set of packages: dropbear, tiff, et al.
Other (E)LTS Work:
- Triaged jqueryui, http-parser, awstats, ruby-rails-html-sanitizer, node-json-schema, node-log4js, dlt-daemon, joblib, tiff, dropbear, python3.5, python3.4, ruby-sinatra, erlang, and rabbitmq-server.
- Helped and assisted new contributors joining Freexian (LTS/ELTS/internally).
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
- Participated and helped fellow members with their queries via private mail and chat.
- General and other discussions on LTS private and public mailing list.
- Attended the monthly Freexian meeting.
Until next time.:wq for today.