FOSS Activites in January 2023

Here’s my (fortieth) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 49th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

There’s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:

Uploads

• redmine (5.0.4-1) - Fixing bug #1022818, #1026048, and #1027340.
• libyang2 (2.1.30-2) - Adding DEP8 test for yangre.

Others

• Proposed tomcat9 bullseye -pu via 9.0.43-2~deb11u5.
• Helped Otto with review of mariadb from NEW.
• Sponsored php-font-lib for William.
• Advocated William for becoming DD, uploading.
• Granted some DM rights.
• Mentoring for newcomers.
• Reviewed libgit2 bits, new uploads and changes.
• Moderation of -project mailing list.

A huge thanks to Freexian for sponsoring my Debian work. :D

Ubuntu

This was my 24th month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the stretch and jessie release (+2 years after LTS support).

This was my fortieth month as a Debian LTS and thirty-first month as a Debian ELTS paid contributor.
I worked for 43.25 hours for LTS and 25.00 hours for ELTS.

LTS CVE Fixes and Announcements:

• Issued DLA 3281-1, fixing CVE-2022-47950, for swift.
  For Debian 10 buster, these problems have been fixed in version 2.19.1-1+deb10u1.
• Issued DLA 3295-1, fixing CVE-2022-24785 and CVE-2022-31129, for node-moment.
  For Debian 10 buster, these problems have been fixed in version 2.24.0+ds-1+deb10u1.
• Issued DLA 3296-1, fixing CVE-2023-24038, for libhtml-stripscripts-perl.
  For Debian 10 buster, these problems have been fixed in version 1.06-1+deb10u1.
• Issued DLA 3297-1, fixing CVE-2022-48281, for tiff.
  For Debian 10 buster, these problems have been fixed in version 4.1.0+git191117-2~deb10u6.
• Issued DLA 3298-1, fixing CVE-2020-8161, CVE-2020-8184, CVE-2022-44570, CVE-2022-44571, and CVE-2022-44572, for ruby-rack.
  For Debian 10 buster, these problems have been fixed in version 2.0.6-3+deb10u2.
• Issued DLA 3300-1, fixing CVE-2022-47951, for glance.
  For Debian 10 buster, these problems have been fixed in version 2:17.0.0-5+deb10u1.
• Issued DLA 3301-1, fixing CVE-2022-47951, for cinder.
  For Debian 10 buster, these problems have been fixed in version 2:13.0.7-1+deb10u2.
• Issued DLA 3302-1, fixing CVE-2022-47951, for nova.
  For Debian 10 buster, these problems have been fixed in version 2:18.1.0-6+deb10u2.
• Issued DLA 3303-1, fixing CVE-2022-25648, CVE-2022-46648, and CVE-2022-47318, for ruby-git.
  For Debian 10 buster, these problems have been fixed in version 1.2.8-1+deb10u1.
• Started to look at other set of packages.

ELTS CVE Fixes and Announcements:

• Issued ELA 784-1, fixing CVE-2022-25648, CVE-2022-46648, and CVE-2022-47318, for ruby-git.
  For Debian 9 stretch, these problems have been fixed in version 1.2.8-1+deb9u1.
• Issued ELA 785-1, fixing CVE-2022-44570 and CVE-2022-44571, for ruby-rack.
  For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u4.
• Issued ELA 787-1, fixing CVE-2022-45442, for ruby-sinatra.
  For Debian 9 stretch, these problems have been fixed in version 1.4.7-5+deb9u2.
• Helped facilitate Erlang’s and RabbitMQ’s update; cf: ELA 754-1.
• Started to look at other set of packages.

Other (E)LTS Work:

• Triaged node-moment, modsecurity-apache, ruby-git, ruby-sinatra, gpac, cargo, git, openjdk-11, swift, libxpm, lilypond, openjdk-8, modsecurity, netdata, nim, rust-cargo, sgt-puzzles, apache2, wireshark, libhtml-stripscripts-perl, redis, tomcat8, tiff, ruby-rack, tmux, ruby-rack, ruby-sidekiq, libapache2-mod-auth-mellon, jupyter-core, net-snmp, and rabbitmq-server.
• Marked CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster.
• Marked CVE-2022-46176/cargo as no-dsa in buster.
• Marked CVE-2022-4{4617,6285,883}/libxpm as no-dsa for buster, stretch, and jessie.
• Marked CVE-2020-17354/lilypond as ignored for buster.
• Marked CVE-2022-48279/modsecurity as no-dsa for buster.
• Marked CVE-2023-2249{6,7}/netdata as no-dsa for buster.
• Marked CVE-2021-46872/nim as no-dsa for buster.
• Marked CVE-2022-46176/rust-cargo as no-dsa in buster.
• Marked TEMP-1028986-7037E6/sgt-puzzles as no-dsa for buster.
• Marked CVE-2006-20001 and CVE-2022-3{6760,7436}/apache2 as postponed for stretch and jessie.
• Marked CVE-2023-22458/redis as not-affected for stretch and jessie.
• Marked CVE-2022-45143/tomcat8 as postponed for stretch and jessie.
• Marked CVE-2022-44572/ruby-rack as not-affected for stretch.
• Marked CVE-2022-47950/swift as not-affected for stretch.
• Auto EOL’d node-debug, nim, netty, ruby-git, firefox-esr, linux, swift, radare2, gpac, virtualbox, shiro, sgt-puzzles, pdns-recursor, sofia-sip, libgit2, wireshark, amanda, libhtml-stripscripts-perl, pkgconf, libapache-session-ldap-perl, golang-yaml.v2, nvidia-graphics-drivers, xen, rails, ruby-rack, assimp, thunderbird, cinder, glance, nova, editorconfig-core, chromium, ruby-globalid, spip, opusfile, pgpool2, and ruby-sanitize.
• Helped and assisted new contributors joining Freexian (LTS/ELTS/internally).
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
• Participated and helped fellow members with their queries via private mail and chat.
• General and other discussions on LTS private and public mailing list.
• Attended the monthly LTS meeting.

Until next time.
:wq for today.