FOSS Activites in February 2021

Here’s my (seventeenth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 26th month of active contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

This month was a nice mix of amusement, excitement, nervousness, and craziness. More on it below.
Anyway, whilst I was super-insanely busy this month, I still did some Debian stuff here and there. Here are the following things I worked on:

Uploads and bug fixes:

• ruby-mechanize (2.7.7-1) - Fixing CVE-2021-21289.
• rails (2:6.0.3.4+dfsg-3) - Fixing silent build failure, bug #979133.
• tiledb (1.7.7-1.1) - NMU + source-only upload for migration.
• ruby-launchy (2.5.0-3) - Add Breaks+Replaces for launchy; fixing bug #974046.
• ruby-upr (0.3.0-3) - Fixing FTBFS + autopkgtest; cf: bug #883370.
• gdisk (1.0.6-1.1) - Add Restrictions: allow-stderr for autopkgtest; fixing bug #981231.
• test-check-clojure (0.9.0-4) - Fixing FTBFS + autpkgtest; cf: bug #982721.
• rails (2:6.0.3.5+dfsg-1) - Fixing CVE-2021-22880 and CVE-2021-22881.
• ruby-mechanize (2.7.6-1+deb10u1) - pu-upload, fixing CVE-2021-21289.
• ruby-handlebars-assets (2:0.23.8+dfsg-3) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-rails-assets-emojione (2.2.6-5) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-rails-assets-jquery-colorbox (1.6.3~dfsg-7) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-rails-assets-jquery.slimscroll (1.3.6+dfsg-3) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-rails-assets-markdown-it (8.4.2-5) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-mousetrap-rails (1.4.6-7) - Fixing autpkgtest by embedding a dummy rails app.
• ruby-rails-assets-jquery-fullscreen-plugin (0.5.0+dfsg-4) - Fixing autpkgtest by embedding a dummy rails app.

Other $things:

• Attended the Debian LTS team meeting.
• Mentoring for newcomers.
• Moderation of -project mailing list.
• Sponsored ruby-rspec-stubbed-env for Cédric Boutillier, heh :P

Interesting Bits!

• Last month, I wrote:

  Besides, there’s something more that is in the pipelines. Can’t talk about it now, shh. But hopefully very sooooooon!

  And now I can talk about it! So here it is..
  I’ve joined Canonical as a SDE to work on Ubuntu, full time!!! \o/
  Fully remote + dream job/work + most of the work is in the open-source domain + the beessstttt co-workers one could ever ask for! 💖

  It’s been an amazing time so far and I’ll talk more about it later this month.
  But for now, here’s our team monitor selfie™ (with Rick missing because of his “secret plan”! 🤦‍♂️)
  
  We’ll soon e-meet them in a more detailed manner in the next blog post, that is, later this month!

• In another exciting news, I got 2 more CVEs assigned!!! \o/
  No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned them a CVE ID, CVE-2021-26937 for screen and CVE-2021-27135 for xterm.
  This is my 2nd and 3rd, so I am (still) very excited about this! ^_^

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my sixteenth month as a Debian LTS and eighth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(however, I had overworked for 9 hours for both, LTS and ELTS, last month so I had to work for 51 hours for both this month!)

LTS CVE Fixes and Announcements:

• Issued DLA 2544-1, fixing CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, and CVE-2020-36230, for openldap.
  For Debian 9 stretch, these problems have been fixed in version 2.4.44+dfsg-5+deb9u7.
• Issued DLA 2545-1, fixing CVE-2020-8020 and CVE-2020-8021, for open-build-service.
  For Debian 9 stretch, these problems have been fixed in version 2.7.1-10+deb9u1.
• Issued DLA 2546-1, fixing CVE-2020-8695, CVE-2020-8696, and CVE-2020-8698, for intel-microcode.
  For Debian 9 stretch, these problems have been fixed in version 3.20201118.1~deb9u1.
• Issued DLA 2548-1, fixing CVE-2020-35502, CVE-2021-20209, CVE-2021-20210, CVE-2021-20211, CVE-2021-20212, CVE-2021-20213, CVE-2021-20215, CVE-2021-20216, and CVE-2021-20217, for privoxy.
  For Debian 9 stretch, these problems have been fixed in version 3.0.26-3+deb9u1.
• Issued DLA 2549-1, fixing CVE-2020-0256 and CVE-2021-0308, for gdisk.
  For Debian 9 stretch, these problems have been fixed in version 1.0.1-1+deb9u1.
• Released a non-maintainer upload, fixing #981231, autopkgtest regression for CVE-2020-0256 and CVE-2021-0308, for gdisk.
  For Debian sid, these problems have been fixed in version 1.0.6-1.1.
• Issued DLA 2554-1, fixing CVE-2021-26910, for firejail.
  For Debian 9 stretch, these problems have been fixed in version 0.9.44.8-2+deb9u2.
• Issued DLA 2558-1, fixing CVE-2021-27135, for xterm.
  For Debian 9 stretch, these problems have been fixed in version 327-2+deb9u1.
• Issued DLA 2561-1, fixing CVE-2021-21289, for ruby-mechanize.
  For Debian 9 stretch, these problems have been fixed in version 2.7.5-1+deb9u1.
• Released buster-pu update, fixing CVE-2021-21289, for ruby-mechanize.
  For Debian 10 Buster, these problems have been fixed in version 2.7.6-1+deb10u1.
• Released team/maintainer upload, fixing CVE-2021-21289, for ruby-mechanize.
  For Debian sid, these problems have been fixed in version 2.7.7-1.
• Released team/maintainer upload, fixing CVE-2021-22880 and CVE-2021-22881, for rails.
  For Debian sid, these problems have been fixed in version 2:6.0.3.5+dfsg-1.
• Issued DLA 2570-1, fixing CVE-2021-26937, for screen.
  For Debian 9 stretch, these problems have been fixed in version 4.5.0-6+deb9u1.
• Issued DLA 2573-1, fixing #981404 and #982519, for libzstd.
  For Debian 9 stretch, these problems have been fixed in version 1.1.2-1+deb9u1.
• Issued DLA 2574-1, fixing CVE-2021-27212, for openldap.
  For Debian 9 stretch, these problems have been fixed in version 2.4.44+dfsg-5+deb9u8.

ELTS CVE Fixes and Announcements:

• Issued ELA 357-1, fixing CVE-2021-3272, for jasper.
  For Debian 8 jessie, these problems have been fixed in version 1.900.1-debian1-2.4+deb8u7.
• Issued ELA 358-1, fixing CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, and CVE-2020-36230, for openldap.
  For Debian 8 jessie, these problems have been fixed in version 2.4.40+dfsg-1+deb8u9.
• Issued ELA 359-1, fixing CVE-2020-27351, for python-apt.
  For Debian 8 jessie, these problems have been fixed in version 0.9.3.14.
• Issued ELA 360-1, fixing CVE-2020-0256 and CVE-2021-0308, for gdisk.
  For Debian 8 jessie, these problems have been fixed in version 0.8.10-2+deb8u1.
• Issued ELA 361-1, fixing CVE-2021-26926 and CVE-2021-26927, for jasper.
  For Debian 8 jessie, these problems have been fixed in version 1.900.1-debian1-2.4+deb8u9.
• Issued ELA 362-1, fixing CVE-2020-8695, CVE-2020-8696, and CVE-2020-8698, for intel-microcode.
  For Debian 8 jessie, these problems have been fixed in version 3.20201118.1~deb8u1.
• Issued ELA 363-1, fixing CVE-2021-27135, for xterm.
  For Debian 8 jessie, these problems have been fixed in version 312-2+deb8u1.
• Issued ELA 371-1, fixing CVE-2021-27212, for openldap.
  For Debian 8 jessie, these problems have been fixed in version 2.4.40+dfsg-1+deb8u10.

Other (E)LTS Work:

• Front-desk duty from 22-02 until 28-02 for both LTS and ELTS.
• Triaged privoxy, dnsmasq, openldap, libzstd, ruby-mechanize, firefox-esr, thunderbird, screen, xterm, glibc, isync, rails, openscad, imagemagick, avahi, gdk-pixbuf, python-reportlab, python-aiohttp, spip, gdisk, and jasper.
• Marked CVE-2021-20214/privoxy as not-affected for stretch.
• Marked CVE-2021-27645/glibc as no-dsa for stretch.
• Marked CVE-2021-20247/isync as no-dsa for stretch.
• Marked CVE-2020-28599/openscad as no-dsa for stretch.
• Markec CVE-2021-2024{1,4-6}/imagemagick as ignored for stretch.
• Marked CVE-2021-26720/avahi as postponed for jessie.
• Marked CVE-2021-20240/gdk-pixbuf as not-affected for jessie.
• Marked CVE-2021-27645/glibc as no-dsa for jessie.
• Marked CVE-2020-28463/python-reportlab as postponed for jessie.
• Document extra CVEs as notes for imagemagick in jessie.
• Auto EOL’ed libupnp, webkit2gtk, libraw, jackson-dataformat-cbor, node-lodash, linux, asterisk, yara, python-django, botan1.10, smarty3, xen, u-boot, steghide, mumble, gsoap, ruby-twitter-stream, isync, nodejs, openscad, mupdf, mongo-java-driver, firefox-esr, thunderbird, and salt for jessie.
• Sponsored upload for php-horde-text-filter for Sylvain and published its DLA announcement.
• Got CVE-2021-26937 for screen. Yay, this is the 2nd one I got assigned! \o/
• Got CVE-2021-27135 for xterm. Woah, this is the 3rd one, am I on a roll or what? \o/
• Co-ordinated with package maintainer (and upstream) of ca-certificates for backporting patch to stretch.
• Co-ordinated with package maintainer of ca-certificates for backporting patch to stretch.
• Co-ordinated with package maintainer of screen for fixing vulnerabilites in stretch.
• Attended monthly meeting for Debian LTS.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• Cross-checked LTS survey results, emailed Ola about the problems found.
• General and other discussions on LTS private and public mailing list.

Until next time.
:wq for today.