FOSS Activites in May 2021

Here’s my (twentieth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 29th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

Interesting month, surprisingly. Lots of things happening and lots of moving parts; becoming the “new normal”, I believe. Anyhow, working on Ubuntu full-time has its own advantage and one of them is being able to work on Debian stuff! 🥰

So whilst I couldn’t upload a lot of packages because of the freeze, here’s what I worked on:

Uploads and bug fixes:

• ruby-rack-cors (1.0.2-1+deb10u1) - Fix for CVE-2019-18978/#944849.
• rails (2:6.0.3.7+dfsg-1) - New upstream version, fixing {CVE-2021-22904, CVE-2021-22902, and CVE-2021-22885}/#988214.
• ruby-marcel (1.0.1+dfsg-2) - Upload to unstable for rails.
• python-aws-requests-auth (0.4.3-2) - Enable build-time tests.
• gist (6.0.0-2) - Add patch to skip test when $HTTP_PROXY isn’t set.
• php-cache-lite (1.8.3-1) - New upstream version, fixing FTBFS w/ PHP 8.0.
• Sponsored upload of htmldoc (1.9.3-1+deb10u1) to buster-pu, fixing CVE-2019-19630 and CVE-2021-20308 for Håvard Flaget Aasen.
• Sponsored upload of libbusiness-us-usps-webtools-perl (1.125-1) to unstable, fixing #988330 for Yadd.
• Sponsored upload of radsecproxy (1.8.2-4) to unstable, fixing CVE-2021-32642 for Sven Hartge.

Other $things:

• Mentoring for newcomers and assisting people in BSP.
• Moderation of -project mailing list.

Ubuntu

This was my 4th month of actively contributing to Ubuntu. Now that I’ve joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

This month, by all means, was dedicated mostly to PHP 8.0, transitioning from PHP 7.4 to 8.0. Naturally, it had so many moving parts and moments of utmost frustration, shared w/ Bryce. :D

So even though I can’t upload anything, I worked on the following stuff & asked for sponsorship.
But before, I’d like to take a moment to stress how kind and awesome Gianfranco Costamagna, a.k.a. LocutusOfBorg is! He’s been sponsoring a bunch of my things & helping with re-triggers, et al. Thanks a bunch, Gianfranco; beers on me whenever we meet! 🍻

Merges:

• [2021-05-05] ruby2.7 (2.7.3-2ubuntu1).
• [2021-05-11] exim4 (4.94.2-2ubuntu1).
• [2021-05-17] openvpn (2.5.1-3ubuntu1).
• [2021-05-19] autofs (5.1.7-1).
• [2021-05-25] xterm (366-1ubuntu1).

Uploads & Syncs:

• [2021-05-20] php-net-url2/2.2.1-0.2build2 - no-change rebuild.
• [2021-05-26] phpmyadmin/4:5.0.4+dfsg2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-async-aws-core/1.7.2-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-ses/1.3.0-1build1 - no-change rebuild.
• [2021-05-26] php-async-aws-sqs/1.3.2-1build1 - no-change rebuild.
• [2021-05-26] php-http-interop-http-factory-tests/0.9.0-1build1 - no-change rebuild.
• [2021-05-26] php-twig/3.3.2-1 - sync’d from experimental.
• [2021-05-26] php-doctrine-cache/1.10.2-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-26] php-symfony-contracts/2.4.0-1 - sync’d from experimental.
• [2021-05-26] php-phpseclib/2.0.30-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] php-email-validator/3.1.1-2 - sync’d from experimental.
• [2021-05-27] php-async-aws-core/1.10.0-1 - sync’d from experimental.
• [2021-05-27] php-async-aws-ses/1.4.0-1 - sync’d from experimental.
• [2021-05-27] php-async-aws-sqs/1.5.0-1 - sync’d from experimental.
• [2021-05-27] libphp-swiftmailer/6.2.4-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-27] phpunit/9.5.4-1 - sync’d from experimental.
• [2021-05-27] php-psr-cache/3.0.0-1 - sync’d from experimental.
• [2021-05-27] php-psr-container/2.0.1-1 - sync’d from experimental.
• [2021-05-28] php-wmerrors/2.0.0~git20190628.183ef7d-2ubuntu1 - fix build w/ PHP 8.
• [2021-05-28] php-monolog/2.2.0-1 - sync’d from experimental.
• [2021-05-28] php-amqplib/3.0.0-1 - sync’d from experimental.
• [2021-05-28] php-cache-lite/1.8.3-1 - uploaded to Debian.
• [2021-05-28] php-cache-lite/1.8.3-1 - sync’d from experimental.
• [2021-05-29] php-symfony-contracts/2.4.0-1ubuntu1 - fix build w/ PHP 8.
• [2021-05-31] php-symfony-contracts/2.4.0-1ubuntu2 - fix build w/ php-cache-container.

MIRs:

• [2021-05-16] LP: #1915445/python-aws-requests-auth.
• [2021-05-20] LP: #1152187/systemd-container.
• [2021-05-31] LP: #1930207/prips.

Seed Operations:

• [2021-05-31] MP #403505/systemd-container for Bionic.
• [2021-06-01] MP #403562/prips for Impish.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my twentieth month as a Debian LTS and eleventh month as a Debian ELTS paid contributor.
I was assigned 29.75 hours for LTS and 40.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

• Issued DLA 2654-1, fixing CVE-2021-29472, for composer.
  For Debian 9 stretch, these problems have been fixed in version 1.2.2-1+deb9u1.
• Issued DLA 2655-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u5.
• Issued DLA 2656-1, fixing CVE-2021-3504, for hivex.
  For Debian 9 stretch, these problems have been fixed in version 1.3.13-2+deb9u1.
• Issued DLA 2659-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 9 stretch, these problems have been fixed in version 2.38.0-17+deb9u1.
• Issued DLA 2662-1, fixing CVE-2021-32027 and CVE-2021-32028, for postgresql-9.6.
  For Debian 9 stretch, these problems have been fixed in version 9.6.22-0+deb9u1. This update for done by the maintainer, Christoph Berg. I just took care of announcing and publishing the update.
• Uploaded ruby-rack-cors to buster-security, fixing CVE-2019-18978. For Debian 10 buster, these problems have been fixed in version 1.0.2-1+deb10u1.
• Issued DLA 2663-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 9 stretch, these problems have been fixed in version 10.40-1+deb9u1.

ELTS CVE Fixes and Announcements:

• Issued ELA 425-1, fixing CVE-2021-22885 and CVE-2021-22904, for rails.
  For Debian 8 jessie, these problems have been fixed in version 2:4.1.8-1+deb8u9.
• Uploaded rails to unstable, fixing CVE-2021-22885, CVE-2021-22902, and CVE-2021-22904.
  For Debian sid, these problems have been fixed in version 2:6.0.3.7+dfsg-1.
• Issued ELA 426-1, fixing CVE-2021-3504, for hivex.
  For Debian 8 jessie, these problems have been fixed in version 1.3.10-2+deb8u3.
• Issued ELA 428-1, fixing CVE-2018-10196 and CVE-2020-18032, for graphviz.
  For Debian 8 jessie, these problems have been fixed in version 2.38.0-7+deb8u1.
• Issued ELA 430-1, fixing CVE-2021-22204, for libimage-exiftool-perl.
  For Debian 8 jessie, these problems have been fixed in version 9.74-1+deb8u1.

Other (E)LTS Work:

• Front-desk duty from 24-05 until 30-05 for both LTS and ELTS.
• Triaged rails, libimage-exiftool-perl, hivex, graphviz, glibc, libexosip2, impacket, node-ws, thunar, libgrss, nginx, postgresql-9.6, ffmpeg, composter, and curl.
• Mark CVE-2019-9904/graphviz as ignored for stretch and jessie.
• Mark CVE-2021-32029/postgresql-9.6 as not-affected for stretch.
• Mark CVE-2020-24020/ffmpeg as not-affected for stretch.
• Mark CVE-2020-22020/ffmpeg as postponed for stretch.
• Mark CVE-2020-22015/ffmpeg as ignored for stretch.
• Mark CVE-2020-21041/ffmpeg as postponed for stretch.
• Mark CVE-2021-33574/glibc as no-dsa for stretch & jessie.
• Mark CVE-2021-31800/impacket as no-dsa for stretch.
• Mark CVE-2021-32611/libexosip2 as no-dsa for stretch.
• Mark CVE-2016-20011/libgrss as ignored for stretch.
• Mark CVE-2021-32640/node-ws as no-dsa for stretch.
• Mark CVE-2021-32563/thunar as no-dsa for stretch.
• [LTS] Help test and review bind9 update for Emilio.
• [LTS] Suggest and add DEP8 tests for bind9 for stretch.
• [LTS] Sponsored upload of htmldoc to buster for Havard as a consequence of #988289.
• [ELTS] Fix triage order for jetty and graphviz.
• [ELTS] Raise issue upstream about cloud-init; mock tests instead.
• [ELTS] Write to private ELTS list about triage ordering.
• [ELTS] Review Emilio’s new script and write back feedback, mentioning extra file created, et al.
• [ELTS/LTS] Raise upgrade problems from LTS -> LTS+1 to the list. Thread here.
  • Further help review and raise problems that could occur, et al.
• [LTS] Help explain path forward for firmware-nonfree update to Ola. Thread here.
• [ELTS] Revert entries of TEMP-0000000-16B7E7 and TEMP-0000000-1C4729; CVEs assigned & fix ELTS tracker build.
• Auto EOL’ed linux, libgrss, node-ws, and inspircd for jessie.
• Attended monthly Debian LTS meeting, which didn’t happen, heh.
• Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
• General and other discussions on LTS private and public mailing list.

Until next time.
:wq for today.