FOSS Activites in October 2020

Here’s my (thirteenth) monthly update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 22nd month of contributing to Debian. I became a DM in late March last year and a DD last Christmas! \o/

Whilst busy with my undergrad, I could still take some time out for contributing to Debian (I always do!). Here are the following things I did in Debian this month:

Uploads and bug fixes:

• ruby-mini-magick (4.10.1-1) - Fixing FTBFS, bug #966936.
• ruby2.7 (2.7.1-4) - Fixing CVE-2020-25613.
• net-tools (1.60+git20181103.0eebece-1) - Fixing bug #812886, #653117, #621752, and #549397.
• libgit2 (1.0.1+dfsg.1-1) - New upstream version, v1.0.1.
• rails (2:6.0.3.4+dfsg-1) - Fixing CVE-2020-8264/bug #971988.
• ruby2.7 (2.7.2-1) - New upstream version, v2.7.2.
• bundler (2.1.4-3) - Fixing bug #962463.
• ruby2.5 (2.5.5-3+deb10u3) - Fixing CVE-2020-25613.
• ruby2.7 (2.7.2-2) - Fixing bug #970469, #969130, and #968203.
• ruby3.0 (3.0.0~preview1-1) - Introducing ruby3.0, FTW!
• ruby-mysql2 (0.5.3-1) - Fixing FTBFS, bug #923727.
• ruby-rubocop-packaging (0.5.1-1) - Make it compatible with RuboCop v1.0.

Other $things:

• Attended the Debian Ruby team meeting. Logs here.
• Mentoring for newcomers.
• FTP Trainee reviewing.
• Moderation of -project mailing list.
• Sponsored phpmyadmin, php-bacon-baconqrcode, twig, php-dasprid-enum, sql-parser, and mariadb-mysql-kbs for William.

Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my thirteenth month as a Debian LTS and fourth month as a Debian ELTS paid contributor.
I was assigned 20.75 hours for LTS and 30.00 hours for ELTS and worked on the following things:
(for ELTS, I worked for 5.25 hours extra, so my total hours this month for ELTS were 35.25!)

LTS CVE Fixes and Announcements:

• Issued DLA 2389-1, fixing CVE-2019-18978, for ruby-rack-cors.
  For Debian 9 Stretch, these problems have been fixed in version 0.4.0-1+deb9u2.
• Issued DLA 2390-1, fixing CVE-2019-18848, for ruby-json-jwt.
  For Debian 9 Stretch, these problems have been fixed in version 1.6.2-1+deb9u2.
• Issued DLA 2391-1, fixing CVE-2020-25613, for ruby2.3.
  For Debian 9 Stretch, these problems have been fixed in version 2.3.3-1+deb9u9.
• Issued DLA 2392-1, fixing CVE-2020-25613, for jruby.
  For Debian 9 Stretch, these problems have been fixed in version 1.7.26-1+deb9u3.
• Uploaded ruby2.5 to buster, fixing CVE-2020-25613. For Debian 10 Buster, these problems have been fixed in version 2.5.5-3+deb10u3.
• Uploaded ruby2.7 to unstable, fixing CVE-2020-25613. For Debian Sid, these problems have been fixed in version 2.7.1-4.
• Uploaded rails to unstable, fixing CVE-2020-8264. For Debian Sid, these problems have been fixed in version 2:6.0.3.4+dfsg-1.

ELTS CVE Fixes and Announcements:

• Issued ELA 290-1, fixing CVE-2020-25613, for ruby2.1.
  For Debian 8 Jessie, these problems have been fixed in version 2.1.5-2+deb8u11.
• Issued ELA 292-1, fixing CVE-2020-26159, for libonig.
  For Debian 8 Jessie, these problems have been fixed in version 5.9.5-3.2+deb8u5.
• Issued ELA 297-1, fixing CVE-2020-16121 and CVE-2020-16122, for packagekit.
  For Debian 8 Jessie, these problems have been fixed in version 1.0.1-2+deb8u1.
• Issued ELA 298-1, fixing CVE-2020-14355, for spice.
  For Debian 8 Jessie, these problems have been fixed in version 0.12.5-1+deb8u8.
• Issued ELA 299-1, fixing CVE-2020-14355, for spice-gtk.
  For Debian 8 Jessie, these problems have been fixed in version 0.25-1+deb8u2.
• Started working on openldap vulnerabilities, CVEs are yet to be assigned.

Other (E)LTS Work:

• Front-desk duty from 28-09 to 04-10 and from 26-10 until 01-10 for both LTS and ELTS.
• Triaged libproxy, libvirt, libonig, ant, erlang, ruby2.3, jruby, dpdk, php7.0, spice, spice-gtk, wireshark, djangorestframework, python-urllib3, python-cryptography, qtsvg-opensource-src, and open-build-service.
• Marked CVE-2020-26137/python-urllib3 as no-dsa for Stretch and Jessie.
• Marked CVE-2020-1437{4,5,6,7,8}/dpdk as no-dsa for Stretch.
• Marked CVE-2020-2586{2,3}/wireshark as postponed for Stretch.
• Marked CVE-2020-25626/djangorestframework as no-dsa for Stretch.
• Marked CVE-2020-11979/ant as not-affected for Jessie.
• Marked CVE-2020-25623/erlang as not-affected for Jessie.
• Marked CVE-2020-25659/python-cryptography as no-dsa for Stretch and Jessie.
• Auto EOL’ed jruby, libjs-handlebars, linux, pluxml, mupdf, and djangorestframework for Jessie.
• [E/LTS] Worked on putting survey online, deployed LTS Team Pages \o/
• [ELTS] Fix suite-name in ela-needed file and fix other tags and ordering of triages to fix errors in the security tracker.
• [LTS] Sent out invitations for the meeting.
• Attended the sixth private LTS meeting.
• General discussion on LTS private and public mailing list.

Until next time.
:wq for today.