FOSS Activites in March 2022

Here’s my (thirtieth) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 39th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

I recovered this month and cleared up a bunch of my backlog. So a good month, that way.

I didn’t do any uploads this month but I still did the following this month:

Other $things:

• Volunteering for DC22 Content team.
• Volunteering for DC22 Bursary team.
• Being a DC22 Bursary lead along w/ Paulo.
• Being an AM for Arun Kumar, process #1024.
• Mentoring for newcomers.
• Moderation of -project mailing list.

Ubuntu

This was my 14th month of actively contributing to Ubuntu. Now that I joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my thirtieth month as a Debian LTS and nineteenth month as a Debian ELTS paid contributor.
I worked for 57.75 out of 59.50 hours for LTS and 42.25 out of 60.00 hours for ELTS.

LTS CVE Fixes and Announcements:

• Issued DLA 2943-1, fixing CVE-2021-30151 and CVE-2022-23837, for ruby-sidekiq.
  For Debian 9 stretch, these problems have been fixed in version 4.2.3+dfsg-1+deb9u1.
• Issued DLA 2951-1, fixing CVE-2021-0561, for flac.
  For Debian 9 stretch, these problems have been fixed in version 1.3.2-2+deb9u2.
• Issued DLA 2956-1, fixing some vulnerabilties which haven’t a CVE ID assigned yet, for wordpress.
  For Debian 9 stretch, these problems have been fixed in version 4.7.23+dfsg-0+deb9u1.
• Issued DLA 2958-1, fixing CVE-2021-3700, for usbredir.
  For Debian 9 stretch, these problems have been fixed in version 0.7.1-1+deb9u1.
• Issued DLA 2936-1, fixing CVE-2018-8098, CVE-2018-8099, CVE-2018-10887, CVE-2018-10888, CVE-2018-15501, CVE-2020-12278, CVE-2020-12279, CVE-2019-1352, and CVE-2019-1353, for libgit2.
  For Debian 9 stretch, these problems have been fixed in version 0.25.1+really0.24.6-1+deb9u1.
• Working on src:tiff and src:mbedtls to fix the issues, waiting for more issues to be reported, though.
• Help and assisted others w/ their queries, see “Other (E)LTS Work” section for more details.

ELTS CVE Fixes and Announcements:

• Issued ELA 578-1, fixing CVE-2021-0561, for flac.
  For Debian 8 jessie, these problems have been fixed in version 1.3.0-3+deb8u2.
• Issued ELA 582-1, fixing some vulnerabilties which haven’t a CVE ID assigned yet, for wordpress.
  For Debian 8 jessie, these problems have been fixed in version 4.1.35+dfsg-0+deb8u1.
• Worked on readying up python2.7 update. But the tests fails with a segfault but only on jessie. The very same works fine on stretch.
  Been trying to workthru the tests but it looks that it’s a test-only thing. But I’ll double-check to be sure. :)
• Looked into src:bind9 for Markus. Also, coordinated the same w/ the Ubuntu security team (ESM one). Reported the findings that I and Marc discussed.
  Markus seemed to workthru a way out in the end. \o/
• Working on src:tiff and src:beep to fix the issues, waiting for more issues to be reported for src:tiff and src:beep is a bit of a PITA, though. :)

Other (E)LTS Work:

• Triaged xterm, dojo, strongswan, ruby-sidekiq, flac, wordpress, usbredir, debian-edu-config, libphp-adodb, and libgit2,
• Contributed to “Freexian values” (cf: internal survey).
• Read through the logs of the monthly Debian LTS meeting.
• Helped w/ debian-archive-keyring thread and gave pointers to Anton.
• Sorted out the LXD VM issue for src:libgit2 upload.
• Helped answer Markus’ question on src:bind9 security/regression updates.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.
• Attended the monthly LTS meeting. Happened on #debian-lts this month.

Debian LTS Survey

I’ve spent 9 hours on the LTS survey on the following bits:
(but I’ll invoice them next month)

• Organize questions. Re-order, fix, and add things wherever needed.
• Finally set the whole thing up.
• Did a couple of dry-runs.
• Drafted the mail to be sent.

Until next time.
:wq for today.