FOSS Activites in January 2021

Here’s my (sixteenth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 25th month of contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

This month was bat-shit crazy. Why? We’ll come to it later, probably 15th of this month?
Anyway, besides being crazy, hectic, adventerous, and the first of 2021, this month I was super-insanely busy. With what? Hm, more about this later this month! ^_^

However, I still did some Debian stuff here and there. Here are the following things I worked on:

Uploads and bug fixes:

• ruby-rack (2.1.1-6) - Fixing CVE-2020-8184/bug #963477.
• ruby-faye-websocket (0.11.0-1) - Fixing CVE-2020-15133/bug #967061.
• ruby-faye (1.4.0-1) - Fixing CVE-2020-11020/bug #959392 and CVE-2020-15134/bug #967063.
• ruby-rack (2.1.4-2) - Fix failing tests and new upstream version, v2.1.4.
• ruby-rake-ant (1.0.4-1) - Initial release, bug #979498.
• libgit2 (1.1.0+dfsg.1-4) - Source-only upload for migration.
• ruby-scanf (1.0.0-1) - Initial release, bug #979497.
• polybar (3.5.4-1) - New upstream version, v3.5.4.
• fpc (3.2.0+dfsg-10) - Severe crash fix for bugs #979850, #979853, #979862, and #979851.
• ruby-em-redis (0.3.0+gh-3) - Fixing FTBFS, bug #978975, as requested by Holger! :)
• gdebi (0.9.5.7+nmu4) - Fixing FTBFS, bug #951923, as requested by Holger! :)
• ruby-redcarpet (3.4.0-4+deb10u1) - Fixing CVE-2020-26298/bug #980057.
• ruby-in-parallel (0.1.17-1.2) - Fixing autopkgtest, bug #979700.
• ruby-in-parallel (0.1.17-1.3) - Fixing random test failures, bug #980585.
• python-bottle (0.12.15-2+deb10u1) - Fixing CVE-2020-28473.

Other $things:

• Attended the Debian Ruby team meeting.
• Mentoring for newcomers.
• Moderation of -project mailing list.
• Sponsored golang-github-gorilla-css for Fedrico.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my sixteenth month as a Debian LTS and seventh month as a Debian ELTS paid contributor.
I was assigned 26.00 hours for LTS and 36.75 hours for ELTS and worked on the following things:
(however, I worked extra for 9 hours for LTS and 9 hours for ELTS this month, which I intend to balance from the next month!)

LTS CVE Fixes and Announcements:

• Issued DLA 2518-1, fixing CVE-2020-35492, for cairo.
  For Debian 9 Stretch, these problems have been fixed in version 1.14.8-1+deb9u1.
• Issued DLA 2525-1, fixing CVE-2018-19840, CVE-2018-19841, CVE-2019-11498, CVE-2019-1010315, CVE-2019-1010317, CVE-2019-1010319, and CVE-2020-35738, for wavpack.
  For Debian 9 Stretch, these problems have been fixed in version 5.0.0-2+deb9u3.
• Issued DLA 2526-1, fixing CVE-2020-26298, for ruby-redcarpet.
  For Debian 9 Stretch, these problems have been fixed in version 3.3.4-2+deb9u1.
• Prepared DSA 4831-1, fixing CVE-2020-26298, for ruby-redcarpet. For Debian 10 Buster, these problems have been fixed in version 3.4.0-4+deb10u1. The announcement was released by the Security Team.
• Issued DLA 2528-1, fixing CVE-2021-3185, for gst-plugins-bad1.0.
  For Debian 9 Stretch, these problems have been fixed in version 1.10.4-1+deb9u1.
• Issued DLA 2529-1, fixing CVE-2021-3181, for mutt.
  For Debian 9 Stretch, these problems have been fixed in version 1.7.2-1+deb9u5.
• Issued DLA 2531-1), fixing CVE-2020-28473, for python-bottle.
  For Debian 9 Stretch, these problems have been fixed in version 0.12.13-1+deb9u1.
• Released buster-pu update, fixing CVE-2020-28473, for python-bottle. For Debian 10 Buster, these problems have been fixed in version 0.12.15-2+deb10u1.

ELTS CVE Fixes and Announcements:

• Issued ELA 344-1, fixing CVE-2020-27350, for apt.
  For Debian 8 Jessie, these problems have been fixed in version 1.0.9.8.7.
• Issued ELA 346-1, fixing CVE-2016-10169, CVE-2018-19840, CVE-2019-1010319, and CVE-2020-35738, for wavpack.
  For Debian 8 Jessie, these problems have been fixed in version 4.70.0-1+deb8u1.
• Issued ELA 347-1, fixing CVE-2020-26298, for ruby-redcarpet.
  For Debian 8 Jessie, these problems have been fixed in version 3.1.2-1+deb8u1.
• Issued ELA 348-1, fixing CVE-2021-3185, for gst-plugins-bad1.0.
  For Debian 8 Jessie, these problems have been fixed in version 1.4.4-2.1+deb8u3.
• Issued ELA 349-1, fixing CVE-2021-3181, for mutt.
  For Debian 8 Jessie, these problems have been fixed in version 1.5.23-3+deb8u5.
• Issued ELA 350-1, fixing CVE-2020-28473, for python-bottle.

Other (E)LTS Work:

• Front-desk duty from 28-12 until 03-01 and from 25-01 until 31-01 for both LTS and ELTS.
• Triaged dropbear, gst-plugins-bad1.0, phpmyadmin, qemu, firefox-esr, thunderbird, openldap, libdatetime-timezone-perl, tzdata, jasper, ckeditor, liblivemedia, wavpack, and ruby-redcarpet.
• Marked CVE-2019-12953/dropbear as postponed for jessie.
• Marked CVE-2019-12953/dropbear as postponed for stretch.
• Marked CVE-2018-19841/wavpack as not-affected for jessie.
• Marked CVE-2019-1010315/wavpack as not-affected for jessie.
• Marked CVE-2019-1010317/wavpack as not-affected for jessie.
• Marked CVE-2021-21252/phpmyadmin as no-dsa for stretch.
• Marked CVE-2021-20196/qemu as postponed for stretch.
• Marked CVE-2021-21252/phpmyadmin as no-dsa for jessie.
• Marked CVE-2021-20196/qemu as postponed for jessie.
• Marked CVE-2020-11947/qemu as postponed for jessie.
• Marked CVE-2021-3326/glibc as no-dsa for jessie.
• Marked CVE-2021-3326/glibc as no-dsa for stretch.
• Marked CVE-2020-35517/qemu as not-affected instead of postponed for jessie.
• Marked CVE-2021-2627{1,2}/ckeditor as postponed for jessie.
• Marked CVE-2020-24027/liblivemedia as no-dsa for stretch.
• Marked CVE-2021-2627{1,2}/ckeditor as postponed for stretch.
• Auto EOL’ed csync2, firefox-esr, linux, thunderbird, collabtive, activemq, and xen for jessie.
• Got my first ever CVE assigned - CVE-2021-3181 for mutt. Weeeehooooo! \o/
• Attended the monthly LTS meeting. Logs here.
• General discussion on LTS private and public mailing list.

Interesting Bits!

• This January, on 23rd and 24th, we had Mini DebConf India 2021 online.
  I had a talk as well, titled, “Why Point Releases are important and how you can help prepare them?".

  It was a fun and a very short talk, where I just list out the reasons and ways to help in the preparation of “point releases”. I did some experimentation with this talk, figuring out what works for the audience and what doesn’t and where can I improve for the next time I talk about this topic! \o/
  You can listen to the talk here and let me know if you have any feedback!

  Anyway, the conference lasted for 2 days and I also did some volunteering (talk director, talk miester) in Hindi and English, both! It was all so fun and new. Anyway, here’s the picture we took:

• In another exciting news, I got my first CVE assigned!!! \o/
  No, it is not something that I found, it was discovered by Tavis Ormandy. I just assigned this a CVE ID, CVE-2021-3181.
  This is my first, so I am very excited about this! ^_^

• Besides, there’s something more that is in the pipelines. Can’t talk about it now, shh. But hopefully very sooooooon!

Other $things! \o/

This month was tiresome, with most of the time being spent on the Debian stuff, I did very little work outside it, really. The issues and patches that I sent are:

• Issue #700 for redcarpet, asking for a reproducer for CVE-2020-26298 and some additional patch related queries.
• Issue #7 for in-parallel, asking them to not use relative paths for tests.
• Issue #8 for in-parallel, reporting a test failure for the library.
• Issue #2 for rake-ant, asking them to bump their dependencies to a newer version.
• PR #3 for rake-ant, bumping the dependencies to a newer version, fixing the above issue, heh.
• Issue #4 for rake-ant, requesting to drop git from their gemspec.
• PR #5 for rake-ant, dropping git from gemspec, fixing the above issue, heh.
• Issue #95 for WavPack, asking for a review of past security vulnerabilites wrt v4.70.0.
• Reviewed PR #128 for ruby-openid, addressing the past regression with CVE fix merge.
• Reviewed PR #63 for cocoapods-acknowledgements, updating redcarpet to v3.5.1, as a safety measure due to recently discovered vulnerability.
• Issue #1331 for bottle, asking for relevant commits for CVE-2020-28473 and clarifying other things.
• Issue #5 for em-redis, reporting test failures on IPv6-only build machines.
• Issue #939 for eventmachine, reporting test failures for em-redis on IPv6-only build machines.

Until next time.
:wq for today.