FOSS Activites in October 2021
Here’s my (twenty-fifth) monthly but brief update about the activities I’ve done in the F/L/OSS world.
Debian
This was my 34th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/
Just churning through the backlog again this month. Ugh.
Anyway, I did the following stuff in Debian:
Uploads and bug fixes:
Hah, as a surprise, I did no uploads or bug fixes this month. :(
Other $things:
- Mentoring for newcomers.
- Moderation of -project mailing list.
Ubuntu
This was my 9th month of actively contributing to Ubuntu. Now that I’ve joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from next year onward, as I was doing before. :D
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my twenty-fifth month as a Debian LTS and sixteenth month as a Debian ELTS paid contributor.
I was assigned 28.50 hours for LTS and 40.00 hours for ELTS and worked on the following things:
(however, I only worked for 35h on ELTS work, thereby, carrying over a few hours.)
LTS CVE Fixes and Announcements:
- Issued DLA 2780-1, fixing CVE-2021-31799, CVE-2021-31810, and CVE-2021-32066, for ruby2.3.
For Debian 9 stretch, these problems have been fixed in version 2.3.3-1+deb9u10. - Issued DLA 2743-2, fixing CVE-2017-5715, for amd64-microcode.
For Debian 9 stretch, these problems have been fixed in version 3.20181128.1~deb9u2.
This update took the most time as this had to be co-ordinated w/ multiple people and teams. But finally got this sorted! \o/ - Issued DLA 2808-1, fixing CVE-2021-3733 and CVE-2021-3737, for python3.5.
For Debian 9 stretch, these problems have been fixed in version 3.5.3-1+deb9u5. - Prepped the debian-archive-keyring update, however the build fails because of Jonathan’s GPG keys. Wrote to the list and Jonathan replied that they’ll prep a branch that I can land later. So waiting on that.
ELTS CVE Fixes and Announcements:
- Issued ELA 510-1, fixing CVE-2021-3426, CVE-2021-3733, and CVE-2021-3737, for python3.4.
For Debian 8 jessie, these problems have been fixed in version 3.4.2-1+deb8u11. - Issued ELA 513-1, fixing CVE-2021-33829 and CVE-2021-37695, for ckeditor.
For Debian 8 jessie, these problems have been fixed in version 4.4.4+dfsg1-3+deb8u1. - Took a look at jsoup again. Post-discussion, the customer did not revert, so we decided to ignore the CVEs.
- Worked on openssh’s reported regression (via LP: #1934501) and found that Debian jessie, stretch, buster, and bullseye aren’t affected. Informed the security team as well (whom I woked along with). Given that all seemed in order, we decided to postpone the new CVE since that was a minor issue which can be piggy-backed later with a more severe issue.
- Co-ordinated with Abhijith who unclaimed ntfs-3g and started working on the update. A high number of CVEs are open. Work still in progress.
Other (E)LTS Work:
- Front-desk duty from 27-09 to 03-10 and 25-10 to 31-10 for both LTS and ELTS.
- Triaged rpm, npm, nltk, request-tracker4, ros-ros-comm, mediawiki, ruby2.1, ckeditor, ntfs-3g, jsoup, udisks2, libgit2, python3.5, python3.4, and openssh.
- Mark CVE-2021-3521/rpm as postponed for stretch and jessie.
- Mark CVE-2021-3913{4,5}/npm as no-dsa.
- Mark CVE-2021-3828/nltk as no-dsa for stretch.
- Mark CVE-2021-38562/request-tracker4 as no-dsa for stretch.
- Mark CVE-2021-37146/ros-ros-comm as no-dsa for stretch.
- Mark CVE-2021-28965/ruby2.1 as ignored for jessie.
- Mark CVE-2021-37714/jsoup as ignored for jessie.
- Mark CVE-2021-41617/openssh as no-dsa for jessie.
- Auto EOL’ed ardour, nltk, request-tracker4, python-scrapy, webkit2gtk, and linux for jessie.
- Drop wordpress from dla-needed for stretch and jessie. No update needed.
- Attended monthly Debian LTS meeting.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Until next time.:wq
for today.