Introduction
Hey, I joined back in July as a trainee and now a part of the LTS team since this October, and all this while I forgot to introduce myself, so here it goes.. I am 19 y/o Debian Maintainer (opening a NM process for DM -> DD this weekend :)). Being a part of the Ruby, JS, Golang, Perl, and the Python team, I mostly help in maintaining GitLab, Rails, Ruby, et al. The other libraries/applications that I maintain are available on my DDPO[1]. Besides Debian, I contribute to typeshed[2] and other projects. Being in the junior year, the major chunk of my times goes in the University stuff. Apart from open source, my interests lies in Parsers, Compilers, and Computer Architecture. Though I haven't gotten much there, but I hope I soon will (still figuring out how to go about it). I learned about LTS during Abhijith's talk in MiniDebConf Delhi, somewhere in March this year and I've been interested in the same since then. And at this DebConf, I met Holger and finally became a part of it :D Much thanks to Abhijith and Holger for helping me out all this while with the workflow :) Excited to be a part of the team :D Best, Utkarsh --- [1]: https://qa.debian.org/developer.php?login=guptautkarsh2...@gmail.com [2]: https://github.com/python/typeshed signature.asc Description: OpenPGP digital signature
Re: Training process
Hey, On Mon, Sep 30, 2019 at 01:13:45PM +0200, Sylvain Beucler wrote: > Hi, > > First, welcome to Utkarsh Gupta in the team :) Thank you! :D > >From what I understand there was a training during July and August, > resulting in active status this month. > I saw zero traces of this training besides a passing anonymous > mention in Raphael's reports. > Possibly we can clarify this a lil' bit? Or did I miss an information > source? Whilst Holger replied to it already; from my end, I'll write a short blog post (hopefully this weekend!), describing the things I did and learn as a trainee. Shall push to planet.d.o as well! > This would also help welcome new members, I myself remember a solid > silence when I joined (while I explicitly introduced my application at > debian-lts@l.d.o). Definitely! I'll write a quick introduction to this list in a while. Sorry for forgetting and thank you for reminding! :) Best, Utkarsh signature.asc Description: OpenPGP digital signature
Accepted firefox-esr 60.9.0esr-1~deb8u2 (source i386 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 01 Oct 2019 10:05:19 +0200 Source: firefox-esr Binary: firefox-esr iceweasel firefox-esr-dbg iceweasel-dbg firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach iceweasel-l10n-ach firefox-esr-l10n-af iceweasel-l10n-af firefox-esr-l10n-an iceweasel-l10n-an firefox-esr-l10n-ar iceweasel-l10n-ar firefox-esr-l10n-as iceweasel-l10n-as firefox-esr-l10n-ast iceweasel-l10n-ast firefox-esr-l10n-az iceweasel-l10n-az firefox-esr-l10n-be iceweasel-l10n-be firefox-esr-l10n-bg iceweasel-l10n-bg firefox-esr-l10n-bn-bd iceweasel-l10n-bn-bd firefox-esr-l10n-bn-in iceweasel-l10n-bn-in firefox-esr-l10n-br iceweasel-l10n-br firefox-esr-l10n-bs iceweasel-l10n-bs firefox-esr-l10n-ca iceweasel-l10n-ca firefox-esr-l10n-cak iceweasel-l10n-cak firefox-esr-l10n-cs iceweasel-l10n-cs firefox-esr-l10n-cy iceweasel-l10n-cy firefox-esr-l10n-da iceweasel-l10n-da firefox-esr-l10n-de iceweasel-l10n-de firefox-esr-l10n-dsb iceweasel-l10n-dsb firefox-esr-l10n-el iceweasel-l10n-el firefox-esr-l10n-en-gb iceweasel-l10n-en-gb firefox-esr-l10n-en-za iceweasel-l10n-en-za firefox-esr-l10n-eo iceweasel-l10n-eo firefox-esr-l10n-es-ar iceweasel-l10n-es-ar firefox-esr-l10n-es-cl iceweasel-l10n-es-cl firefox-esr-l10n-es-es iceweasel-l10n-es-es firefox-esr-l10n-es-mx iceweasel-l10n-es-mx firefox-esr-l10n-et iceweasel-l10n-et firefox-esr-l10n-eu iceweasel-l10n-eu firefox-esr-l10n-fa iceweasel-l10n-fa firefox-esr-l10n-ff iceweasel-l10n-ff firefox-esr-l10n-fi iceweasel-l10n-fi firefox-esr-l10n-fr iceweasel-l10n-fr firefox-esr-l10n-fy-nl iceweasel-l10n-fy-nl firefox-esr-l10n-ga-ie iceweasel-l10n-ga-ie firefox-esr-l10n-gd iceweasel-l10n-gd firefox-esr-l10n-gl iceweasel-l10n-gl firefox-esr-l10n-gn iceweasel-l10n-gn firefox-esr-l10n-gu-in iceweasel-l10n-gu-in firefox-esr-l10n-he iceweasel-l10n-he firefox-esr-l10n-hi-in iceweasel-l10n-hi-in firefox-esr-l10n-hr iceweasel-l10n-hr firefox-esr-l10n-hsb iceweasel-l10n-hsb firefox-esr-l10n-hu iceweasel-l10n-hu firefox-esr-l10n-hy-am iceweasel-l10n-hy-am firefox-esr-l10n-ia iceweasel-l10n-ia firefox-esr-l10n-id iceweasel-l10n-id firefox-esr-l10n-is iceweasel-l10n-is firefox-esr-l10n-it iceweasel-l10n-it firefox-esr-l10n-ja iceweasel-l10n-ja firefox-esr-l10n-ka iceweasel-l10n-ka firefox-esr-l10n-kab iceweasel-l10n-kab firefox-esr-l10n-kk iceweasel-l10n-kk firefox-esr-l10n-km iceweasel-l10n-km firefox-esr-l10n-kn iceweasel-l10n-kn firefox-esr-l10n-ko iceweasel-l10n-ko firefox-esr-l10n-lij iceweasel-l10n-lij firefox-esr-l10n-lt iceweasel-l10n-lt firefox-esr-l10n-lv iceweasel-l10n-lv firefox-esr-l10n-mai iceweasel-l10n-mai firefox-esr-l10n-mk iceweasel-l10n-mk firefox-esr-l10n-ml iceweasel-l10n-ml firefox-esr-l10n-mr iceweasel-l10n-mr firefox-esr-l10n-ms iceweasel-l10n-ms firefox-esr-l10n-my iceweasel-l10n-my firefox-esr-l10n-nb-no iceweasel-l10n-nb-no firefox-esr-l10n-ne-np iceweasel-l10n-ne-np firefox-esr-l10n-nl iceweasel-l10n-nl firefox-esr-l10n-nn-no iceweasel-l10n-nn-no firefox-esr-l10n-oc iceweasel-l10n-oc firefox-esr-l10n-or iceweasel-l10n-or firefox-esr-l10n-pa-in iceweasel-l10n-pa-in firefox-esr-l10n-pl iceweasel-l10n-pl firefox-esr-l10n-pt-br iceweasel-l10n-pt-br firefox-esr-l10n-pt-pt iceweasel-l10n-pt-pt firefox-esr-l10n-rm iceweasel-l10n-rm firefox-esr-l10n-ro iceweasel-l10n-ro firefox-esr-l10n-ru iceweasel-l10n-ru firefox-esr-l10n-si iceweasel-l10n-si firefox-esr-l10n-sk iceweasel-l10n-sk firefox-esr-l10n-sl iceweasel-l10n-sl firefox-esr-l10n-son iceweasel-l10n-son firefox-esr-l10n-sq iceweasel-l10n-sq firefox-esr-l10n-sr iceweasel-l10n-sr firefox-esr-l10n-sv-se iceweasel-l10n-sv-se firefox-esr-l10n-ta iceweasel-l10n-ta firefox-esr-l10n-te iceweasel-l10n-te firefox-esr-l10n-th iceweasel-l10n-th firefox-esr-l10n-tr iceweasel-l10n-tr firefox-esr-l10n-uk iceweasel-l10n-uk firefox-esr-l10n-ur iceweasel-l10n-ur firefox-esr-l10n-uz iceweasel-l10n-uz firefox-esr-l10n-vi iceweasel-l10n-vi firefox-esr-l10n-xh iceweasel-l10n-xh firefox-esr-l10n-zh-cn iceweasel-l10n-zh-cn firefox-esr-l10n-zh-tw iceweasel-l10n-zh-tw Architecture: source i386 all Version: 60.9.0esr-1~deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages Changed-By: Emilio Pozuelo Monfort Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) firefox-esr-dbg - Debugging symbols for Firefox ESR firefox-esr-l10n-ach - Acoli language package for Firefox ESR firefox-esr-l10n-af - Afrikaans language package for Firefox ESR firefox-esr-l10n-all - All language packages for Firefox ESR (meta) firefox-esr-l10n-an - Aragonese language package for Firefox ESR firefox-esr-l10n-ar - Arabic language package for Firefox ESR firefox-esr-l10n-as - Assamese language package for Firefox ESR firefox-esr-l10n-ast - Asturian language package for Firefox ESR firefox-esr-l10n-az - Azerbaijani language package for Firefox ESR firefox-esr-l10n-be -
Re: firefox-esr 60.9.0esr-1~deb8u1 i386 build
On 30/09/2019 06:40, Sylvain Beucler wrote: > Hello, > > On 27/09/2019 23:12, Pascal Hambourg wrote: >> Sorry to insist again, but is there any hope that the i386 build will >> be available ? > > It seems this is a memory issue on the builder: > > virtual memory exhausted: Operation not permitted > /<>/config/rules.mk:1054: recipe for target > 'Unified_cpp_protocol_http1.o' failed > make[5]: *** [Unified_cpp_protocol_http1.o] Error 1 > > Is there a simple way to restart the build, possibly without parallelism? That wouldn't help. Sorry it took me longer than I expected but the firefox build system is quite particular and I had trouble injecting build flags that wouldn't get overriden. This is fixed now as deb8u2, i386 binaries are already available. Cheers, Emilio
Re: Training process
Hi, Team ACME gets a new member. No reaction. When asked what happened: - team member A: no time - team member B: not a documented process - team member C: maybe new member did something wrong - team member D: will be introduced in 3 weeks with the report - team member E: I thought it was a user - other members: ... No judgement, I guess I love team ACME as it is :) Cheers! Sylvain
[SECURITY] [DLA 1940-1] linux-4.9 security update
Package: linux-4.9 Version: 4.9.189-3+deb9u1~deb8u1 CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-14821 Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-14835 Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host. CVE-2019-15117 Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash). CVE-2019-15118 Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. On the amd64 architecture this is mitigated by a guard page on the kernel stack, so that it is only possible to cause a crash. CVE-2019-15902 Brad Spengler reported that a backporting error reintroduced a spectre-v1 vulnerability in the ptrace subsystem in the ptrace_get_debugreg() function. For Debian 8 "Jessie", these problems have been fixed in version 4.9.189-3+deb9u1~deb8u1. We recommend that you upgrade your linux-4.9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain On 01/10/2019 01:44, Mike Gabriel wrote: > Package: phpbb3 > Version: 3.0.12-5+deb8u4 > CVE ID : CVE-2019-16993 > > > In phpBB, includes/acp/acp_bbcodes.php had improper verification of a > CSRF token on the BBCode page in the Administration Control Panel. An > actual CSRF attack was possible if an attacker also managed to retrieve > the session id of a reauthenticated administrator prior to targeting > them. > > The description in this DLA does not match what has been documented in > the changelog.Debian.gz of this package version. After the upload of > phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet > been fixed. The correct fix for CVE-2019-13776 has been identified and > will be shipped in a soon-to-come follow-up security release of phpbb3. > > For Debian 8 "Jessie", these problems have been fixed in version > 3.0.12-5+deb8u4. > > We recommend that you upgrade your phpbb3 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >
LTS/ELTS Report for September 2019
For September I spent 16 hours on the following LTS tasks: - ansible: multiple issues, including the recently reported CVE-2019-10156 and several previously no-dsa/postponed fixes - mongodb: CVE-2019-2386, triaged and found to not apply - libcommons-compress-java: CVE-2019-12402 - php5: fix for #805222, which prevented building PHP extensions - php-pecl-http: CVE-2016-7398 - python3.4, python2.7: CVE-2019-16506 I also spent 8 hours on the following ELTS tasks: - python2.7, python2.6: CVE-2019-16506 and numerous previously no-dsa/postponed fixes Regards, -Roberto -- Roberto C. Sánchez
Re: Training process
Hi, On Mon, 30 Sep 2019, Sylvain Beucler wrote: > From what I understand there was a training during July and August, > resulting in active status this month. > I saw zero traces of this training besides a passing anonymous > mention in Raphael's reports. > Possibly we can clarify this a lil' bit? Or did I miss an information > source? As far as I am concerned, there's no official training. Internally, we mark new contributors as "in-training" for the initial period where they start to contribute on their free time to get familiar with the process. How each contributor "gets trained" is up to them. Some will read doc and just get it. Some will work with others that they have already met. Some will ask questions on this mailing list, etc. But all should handle at least one or two DLA from start to finish (with sponsors when required). > This would also help welcome new members, I myself remember a solid > silence when I joined (while I explicitly introduced my application at > debian-lts@l.d.o). I don't remember the context but answering questions to new contributors is definitely among the things that are allowed and encouranged for paid contributors. Maybe your mail didn't look like a question needing an answer? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/