Here’s my (thirty-sixth) monthly but brief update about the activities I’ve done in the F/L/OSS world.
There’s a bunch of things I do, both, technical and non-technical. Here are the things I did this month:
- rails (2:220.127.116.11+dfsg-2) - Add patch to allow Symbols in YAML columns, fixes #1018934.
- rails (2:18.104.22.168+dfsg-3) - Add patch to remove active_record.yaml initializers.
- rails (2:22.214.171.124+dfsg-4) - Add patch to allow Date, Time, ActiveSupport::HashWithIndifferentAccess in YAML columns.
- ruby-arbre (1.4.0-2) - Add patch to use selector to detect authenticity token input.
- ruby-net-http-digest-auth (1.4.1-1) - New upstream version, v1.4.1 to fix the FTBFS w/ rails.
- rails (2:6.1.7+dfsg-1) - New upstream version, v6.1.7+dfsg.
- redmine (5.0.2-1) - New upstream version, v5.0.2 + fixes for #1017525, #1019607, #1019238, and #1014813.
- redmine (5.0.2-2) - Add patch to relax pg’s version for autopkgtest.
- ruby-json-jwt (1.14.0-2) - No-change rebuild for unstable to fix #1011682.
- libexporter-tiny-perl (1.004002-1) - New upstream version, v1.004002.
- Sponsored php-nikic-fast-route/1.3.0-4~bpo11+1 for William.
- Being an AM for Arun Kumar, process #1024.
- Sponsoring stuff for non-DDs.
- Mentoring for newcomers.
- Moderation of -project mailing list.
I mostly worked on different things, I guess.
I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from the fall, as I was doing before. :D
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my thirty-sixth month as a Debian LTS and twenty-seventh month as a Debian ELTS paid contributor.
I worked for 38.00 hours for LTS and 27.00 hours for ELTS.
LTS CVE Fixes and Announcements:
- Rolled out announcement for src:flac.
- Rolled out announcement for src:ruby-rack.
- Issued DLA 3128-1, fixing CVE-2020-7677, for node-thenify.
For Debian 10 buster, these problems have been fixed in version 3.3.0-1+deb10u1.
- Issued DLA 3129-1, fixing CVE-2019-17545 and CVE-2021-45943, for gdal.
For Debian 10 buster, these problems have been fixed in version 2.4.0+dfsg-1+deb10u1.
- Looked at src:mbedtls which has about 18 CVEs opened in buster (including no-dsa).
Also, spoke to the maintainer - they said they’d be uncomfortable doing or reviewing the backport (although they initially said they’d be happy to help).
- Fixed src:rails regression via 2:126.96.36.199+dfsg-2, 2:188.8.131.52+dfsg-3, and 2:184.108.40.206+dfsg-4 for sid.
CVE-2022-32224 broke the entire world. :)
- Helped Abhijith figure out the regression fix for CVE-2022-32224.
Also got that verified by the people who reported regression, Raphael, Sven, and Jude. The whole thread is on debian-lts@.
ELTS CVE Fixes and Announcements:
- Rolled out announcemnet for src:ruby-tzinfo.
- Rolled out announcemnet for src:grubt.
- Issued ELA 682-1, fixing CVE-2022-31676, for open-vm-tools.
For Debian 9 stretch, these problems have been fixed in version 2:10.1.5-5055683-4+deb9u3.
- Issued ELA 691-1, fixing CVE-2020-21365, for wkhtmltopdf.
For Debian 8 jessie, these problems have been fixed in version 0.12.1-2+deb8u1.
For Debian 9 stretch, these problems have been fixed in version 0.12.3.2-3+deb9u1.
- Issued ELA 692-1, fixing CVE-2022-37452, for exim4.
For Debian 8 jessie, these problems have been fixed in version 4.84.2-2+deb8u9.
For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u9.
- Started to look at src:tiff again. Has a lot of open issues. Haven’t claimed the package officially yet, though. :)
Other (E)LTS Work:
- Triaged rails, node-thenify, exim4, wkhtmltopdf, gdal, and mbedtls.
- Marked CVE-2019-25050/gdal as not-affected for buster.
- Marked CVE-2022-37451/exim4 as not-affected for stretch and jessie; following buster and bullseye.
- Helped and assisted new contributors joining Freexian (LTS/ELTS).
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts) and Matrix.
- Participated and helped fellow members with their queries via private mail and chat.
- General and other discussions on LTS private and public mailing list.
- Attended the monthly public meeting held on #debian-lts on September 29th.
Until next time.
:wq for today.