Report for LTS and ELTS activity for march 2003

[Bastien Roucariès]

Hi,

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/services/debian-lts.html#sponsors

In march (my first month) I spend my time on LTS as
- creating the  right environment (pbuilder, tools) to do the backport 
correctly. 
- work on imagemagick fixing DLA-3357-1. This release fix CVE-2020-19667, 
CVE-2020-25665, CVE-2020-25666, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, 
CVE-2020-27560, CVE-2020-27750, CVE-2020-27751, CVE-2020-27754, CVE-2020-27756, 
CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760, CVE-2020-27761, 
CVE-2020-27762, CVE-2020-27763, CVE-2020-27764, CVE-2020-27765, CVE-2020-27766, 
CVE-2020-27767, CVE-2020-27768, CVE-2020-27769, CVE-2020-27770, CVE-2020-27771, 
CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, 
CVE-2020-29599, CVE-2021-3574, CVE-2021-3596, CVE-2021-20224, CVE-2022-44267, 
CVE-2022-44268.
- This security update caused a regression in some perl packages due to overly 
restrictive hardening in a policy update (reading from /etc/ was forbidden). 
This hardening patch has been removed. ( DLA-3357-2)
- I work also on libreoffice DLA-3368-1 fixing CVE-2021-25636, CVE-2022-3140, 
CVE-2022-26305, CVE-2022-26306, CVE-2022-26307.
- I begin to work on apache2, particularly a new build time/autopkgtest test 
suite in order to avoid regression.

For ELTS:
- port fix for imagemagick from LTS to ELTS ELA-819-1: CVE-2017-18028 
CVE-2020-27767 CVE-2021-3574 CVE-2021-20224 CVE-2022-44267
- found a hard to debug bug (thanks pochu, and bunk for help) on imagemagick. 
Imagemagick on ELTS FTBFS when pid of builder in > 1,000,000. 
I first think it was a regression so try a git bissect that fail due to PID 
becoming >1,000,000. This was a slow work due to build delay of imagemagick.
- I patched dnsmasq in order to fix remaining security bug. I begin to write a 
test suite for this package in order to avoid regression.
Unfortunately upstream does not have a test suite, even a basic unit test suite.

I want to specially thanks pochu for porting the salsa CI to LTS and ELTS.

Bastien

signature.asc
Description: This is a digitally signed message part.