(E)LTS report for April 2024
LTS: glibc: - First part of work released as DLA-3807-1 in May. gtkwave: - DLA-3785-1 and DSA-5653-1 were released in April, but the actual work was done and submitted for review in March. pillow: - Determined that CVE-2021-25291 does not affect buster. - Released DLA-3786-1, fixing CVE-2024-28219. ruby-rack: - Released DLA-3800-1, fixing CVE-2024-25126, CVE-2024-26141 and CVE-2024-26146. - These fixes were also uploaded to unstables and submitted for bullseye and bookworm. trafficserver: - Released DLA-3799-1, fixing CVE-2024-31309. zabbix: - Determined that CVE-2022-40626 does not affect <= bullseye - Released DLA-3798-1, fixing CVE-2024-22119. xorg-server: - Released DLA-3787-1, fixing CVE-2024-31080, CVE-2024-31081 and CVE-2024-31083. ELTS: glibc: - First part of work released as ELA-1087-1 in May for jessie and stretch openexr: - Determined that CVE-2024-31047 does not affect the binary packages in stretch or buster. pillow: - Released ELA-1079-1, fixing CVE-2024-28219 in jessie and stretch. ruby-rack: - Determined that CVE-2024-25126 does not affect jessie or stretch. - Released ELA-1081-1, fixing CVE-2024-26141 and CVE-2024-26146 in stretch. zabbix: - Determined that CVE-2024-22119 (sole remaining not ignored CVE) does not affect jessie or stretch. xorg-server: - Released ELA-1072-1, fixing CVE-2024-31080, CVE-2024-31081 and CVE-2024-31083 in jessie and stretch.
Debian (E)LTS report for April 2024
Hi everyone, in April I fixed the remaining changes of the samba packaging repo migration. It turned out the issue was a mix of patches-applied and patches-unapplied quilt usage with gbp, which caused seemingly unrelated build errors as symptom. I also worked on ansible(-core), where I fixed: - CVE-2024-0690 - CVE-2023-5764 - CVE-2023-5115 - CVE-2023-4237 in bookworm via stable-proposed-update. In the process I also fixed the autopkgtests for unstable and bookworm to ensure that it will be easier to support during the (E)LTS cycle of bookworm. I have also switched the repo to DEP-14 layout to ease with collaboration. The updates for bullseye and buster will be released shortly. Thanks to our sponsors for financing this work, and to Freexian for coordinating! Regards, Lee Garrett, Debian LTS Team
(E)LTS report for April 2024
I've worked during March 2024 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and sponsors [2] for providing this opportunity! ELTS and LTS: expat (ELTS) Last month I've woCVE-2023-5242rked on expat for LTS, and the work continued for ELTS - jessie and stretch - and finished with the release of ELA-1073-1 fixing CVE-2023-52425. For context, this is the report from last month for the update to LTS: As expat is a very widely used package, one needs to be extra careful to when tackling stuff there. Fortunatly I found that there is an upstream test suite available in the package. However it was not enabled and when trying to enable it the test suite failed to compile, so I spent some time to fix and re-enable the testsuite and fix the compilation issue. Then it was time to backport the first CVE-2023-52425. The patch is quite of size and after completing the backporting the testsuite was note really happy with several tests failing. After some debugging I've decided to split the patch into the consisting upstream commits and to iterate to an solution, to isolate the commits where the test suite starts failing. This allowed me to debug into the problems and identify some other extra required upstream changes to the library and test suite. In the end the test suite was happy, and the debugging helped to show that the patch for the CVE basically uncovered some bugs in the old test code. The other CVES have been triaged and found to be not affecting/actionable for the LTS and ELTS packages: CVE-2023-52426 is fixing a billion laughs attacks when the library is compiled without XML_DTD defined, which is not the case for Debian. (for the other case it is CVE-2013-0340, however, this vulnerbilty will not be fixes won't be backported due to the risk of regression due to the size, complexity, and new APIs. Expat provides API to mitigate expansion attacks, so this is ultimately under control of the app using Expat. CVE-2023-52427 is not applicable for the LTS/ELTS packages as well: It is actually a limitiation/bug of a function the original CVE-2013-0340 mitigation heuristic, as as we don't have that code… After backporting CVE-2023-52425 for ELTS, on jessie python3.4's autopkgtest showed a regression, which needed to be examined. Unfortunatly the autopkgtest logs were not verbose, so it was unclear where the failure was comming from until I was able to run the tests locally, where it showed that the indeed the expat mitigation for CVE-2023-52425 caused the failure in pyexpat, as the test feds the xml one byte after the other -- which is the exact thing the patch for CVE-2023-52425 detects and mitigates for: > "Expat 2.6.0 introduced a security mechanism called “reparse deferral” > where instead of causing denial of service through quadratic runtime > from reparsing large tokens, reparsing of unfinished tokens is now > delayed by default until a sufficient amount of input is reached. Due to > this delay, registered handlers may — depending of the sizing of input > chunks pushed to Expat — no longer be called right after pushing new > input to the parser." The failing test is tripping over that: The XMLPullParser [4] is designed to provide a "Pull API for non-blocking parsing" and when the parser is feed in a way that the parsing deferral is engaged, it might not generate event although the complete token is already fed into the parser - at least not until the close() function is called or further data is fed. Future python versions got API around that, namely the flush() function, but that would require user code changes beside backporting this function to our python versions. With that I've reached out to the team and asked for their opinion how to handle the situation the result was that due to the fact that there were no reports of this issue for buster and that severval other distributions were also going the route to ignore the python issue (or fix the python tests to match the new expat behaviour). frr (LTS) = In contrast to expat, frr was quite straight forward, but there were a lot of vulnerabilities to backport: CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949. Those are all fixed with the upload, announced as DLA-3797-1 (Addtionally, several CVE's had been triaged a found not to affect buster.) -- tobi [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
E?LTS report for april
I've worked during april on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS === Putty I have tested putty against terrapin and released DLA 3794-1 Fix of CVE-2024-31497 are proposed and wait review gtkwave I have reviewed changes by Adrian Bunk. shim --- I have reviewed CVE and triaged. I have proposed a fix for unstable. Note that shim need a fullbackport (like microcode) for security release. I order to ease the testing of this strategic package I have created a autopkgtestsuite. It will ease to debug boot failure. Note that this package need extra caution due to the potential of breakage (no boot). I am working with maintainer in order to get more testable test case. wpa - Buster was fixed and in order to avoid an upgrade regression, I fixed CVE-2023-52160 unstable. I am proposing PU for bookworm/bullseye zookeeper --- Following previous month I build ookworm CVE-2024-23944 and proposes a PU I investigated CVE-2024-23944/bullseye and earlier. Seems information leak is present but different may be warrant a no-dsa wait for security team libjson-smart --- In order to avoid an upgrade regression I fix CVE-2023-1370/sid. PU are on the way apache2 I am reviewing the change of maintainer Yadd for buster. I discover that fossil and unreleated package are broken by fix of CVE-2024-24795. I am investigating other kind of breakage. ELTS sendmail - Following previous month I fix jessie NUL REJECT. We tried we ubuntu team to clarify border case of SMTP smuggling attack. We post a risk analysis and disclose some finding at https://marc.info/?l=oss-security=171447187004229=2 Partial conclusion is that SMTP standard need to be rewritten to take in account the SMTP smuggling risk. We have a few meeting with standard body members about this issue. It was mainly risk analysis and contact with other SMTP implementation. apache2 Backport CVE-2023-31122/CVE-2023-38709/CVE-2024-24795 to stretch Propose fix for jessie Wait for review. Try to find POC by contacting upstream. fossil --- Try to work on fix. Backport is likely the best stuff to do due to huge changes. putty Verify that putty/stretch putty/jessie is unaffected by CVE-2024-31497. Filezilla is still affected Other works == I attempt montly meeting of teams. A special thanks to ubuntu security team for cross checking my sendmail work, particularly Mark Esler. Cheers rouca [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, rouca
Debian LTS report for April 2024
During the month of April 2024 and on behalf of Freexian, I worked on the following: gnutls28 Triaged CVE-2024-28834 and -28835. util-linux -- Uploaded 2.33.1-0.1+deb10u1 and issued DLA-3782-1. https://lists.debian.org/msgid-search/?m=zhj4lnfse0rh2...@debian.org * CVE-2021-37600: Potential integer overflow in ipcutils.c. * CVE-2024-28085: Escape sequence injection in wall(1), which may lead could lead to information disclosure or account takeover. * Prerequisite for the CVE-2024-28085 fix: Backport upstream changes to use fputs_careful() in order to handle UTF-8 characters. mediawiki - Uploaded 1:1.31.16-1+deb10u8 and issued DLA-3796-1. https://lists.debian.org/msgid-search/?m=zi0t9ayjrtlnl...@debian.org * CVE-2023-51704: group-.*-member messages were not properly escaped in Special:log/rights. * CVE-2024-PENDING: Special:MovePage did not limit nor truncate the list of subpages, which could lead to denial of service when trying to move pages with thousands of subpages. nghttp2 --- Uploaded 1.36.0-2+deb10u3 and issued DLA-3804-1. https://lists.debian.org/msgid-search/?m=zjfitmq-hyjdz...@debian.org * CVE-2024-28182: An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in Denial of Service. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
Re: (E)LTS report for April 2023
Hi Dameon, many thanks for your report and for your help in debugging :) This is very appreciated! I'll prepare an update later today. -- Cheers, tobi On Thu, May 04, 2023 at 03:49:07PM +0100, Dameon Wagner wrote: > On Wed, May 03 2023 at 17:51:20 +0100, Dameon Wagner scribbled > in "Re: (E)LTS report for April 2023": > > On Mon, May 01 2023 at 12:33:51 +0200, Tobias Frost scribbled > > in "(E)LTS report for April 2023": > > > I've worked during April 2023 on the below listed packages, for Freexian > > > LTS/ELTS [1] > > > > > ELTS: > > > = > > > > > > syslog-ng: ELA-832-1 for stretch and jessie (CVE-2022-38725) > > > > Hi Tobi, > > > > We've just upgraded a few systems with syslog-ng=3.5.6-2+deb8u1, but > > have seen some issues with the daemon continuously restarting, and > > have reverted to 3.5.6-2 for the time being, which solved the issue. > > > > Looking at the backported patches I _think_ the issue might be with > > "patches/0027-syslogformat-sd_step-_process_any_char.patch", in the > > hunk around line 169: > > > > #---8<- > > @@ -502,16 +502,16 @@ > > } > >if (left > 0 && *src == ']') > > { > > - ssd_step_and_store(self, , );; > > + s_process_any_char(self, , );; > > } > > } > > #---8<- > > > > which differs from the other changes in the patch that are just > > `s/sd_step_and_store/_process_any_char/` and don't have the doubled-up > > semicolons? > > > > I'm planning to build a test package in the morning and will report > > back if it seems to fix things -- unless you get there first that is! > > I can confirm that fixing the above solves the continuous restart > issue we were seeing. Adding the following patch to the end of the > series in debian/patches and rebuilding was all that was required: > > #---8<- > --- a/modules/syslogformat/syslog-format.c > +++ b/modules/syslogformat/syslog-format.c > @@ -507,7 +507,7 @@ > } >if (left > 0 && *src == ']') > { > - s_process_any_char(self, , );; > + _process_any_char(self, , ); > } > } >if (left > 0 && *src == ':') > #---8<- > > Though it may be neater to fix the earlier patches where the initial > issue was introduced (I'm not sure where there are preferences or > policies regarding a fix like this), namely: > > * 0025-syslogformat-utilize-sd_step.patch > * 0027-syslogformat-sd_step-_process_any_char.patch > > Thanks again. > > Dameon. > > -- > ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< > Dr. Dameon Wagner, Unix Platform Services > IT Services, University of Oxford > ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< > signature.asc Description: PGP signature
Re: (E)LTS report for April 2023
On Wed, May 03 2023 at 17:51:20 +0100, Dameon Wagner scribbled in "Re: (E)LTS report for April 2023": > On Mon, May 01 2023 at 12:33:51 +0200, Tobias Frost scribbled > in "(E)LTS report for April 2023": > > I've worked during April 2023 on the below listed packages, for Freexian > > LTS/ELTS [1] > > > ELTS: > > = > > > > syslog-ng: ELA-832-1 for stretch and jessie (CVE-2022-38725) > > Hi Tobi, > > We've just upgraded a few systems with syslog-ng=3.5.6-2+deb8u1, but > have seen some issues with the daemon continuously restarting, and > have reverted to 3.5.6-2 for the time being, which solved the issue. > > Looking at the backported patches I _think_ the issue might be with > "patches/0027-syslogformat-sd_step-_process_any_char.patch", in the > hunk around line 169: > > #---8<- > @@ -502,16 +502,16 @@ > } >if (left > 0 && *src == ']') > { > - ssd_step_and_store(self, , );; > + s_process_any_char(self, , );; > } > } > #---8<- > > which differs from the other changes in the patch that are just > `s/sd_step_and_store/_process_any_char/` and don't have the doubled-up > semicolons? > > I'm planning to build a test package in the morning and will report > back if it seems to fix things -- unless you get there first that is! I can confirm that fixing the above solves the continuous restart issue we were seeing. Adding the following patch to the end of the series in debian/patches and rebuilding was all that was required: #---8<- --- a/modules/syslogformat/syslog-format.c +++ b/modules/syslogformat/syslog-format.c @@ -507,7 +507,7 @@ } if (left > 0 && *src == ']') { - s_process_any_char(self, , );; + _process_any_char(self, , ); } } if (left > 0 && *src == ':') #---8<- Though it may be neater to fix the earlier patches where the initial issue was introduced (I'm not sure where there are preferences or policies regarding a fix like this), namely: * 0025-syslogformat-utilize-sd_step.patch * 0027-syslogformat-sd_step-_process_any_char.patch Thanks again. Dameon. -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dr. Dameon Wagner, Unix Platform Services IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Re: (E)LTS report for April 2023
On Mon, May 01 2023 at 12:33:51 +0200, Tobias Frost scribbled in "(E)LTS report for April 2023": > I've worked during April 2023 on the below listed packages, for Freexian > LTS/ELTS [1] > ELTS: > = > > syslog-ng: ELA-832-1 for stretch and jessie (CVE-2022-38725) Hi Tobi, We've just upgraded a few systems with syslog-ng=3.5.6-2+deb8u1, but have seen some issues with the daemon continuously restarting, and have reverted to 3.5.6-2 for the time being, which solved the issue. Looking at the backported patches I _think_ the issue might be with "patches/0027-syslogformat-sd_step-_process_any_char.patch", in the hunk around line 169: #---8<- @@ -502,16 +502,16 @@ } if (left > 0 && *src == ']') { - ssd_step_and_store(self, , );; + s_process_any_char(self, , );; } } #---8<- which differs from the other changes in the patch that are just `s/sd_step_and_store/_process_any_char/` and don't have the doubled-up semicolons? I'm planning to build a test package in the morning and will report back if it seems to fix things -- unless you get there first that is! Many thanks for all the work, it really is appreciated. Cheers. Dameon. -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dr. Dameon Wagner, Unix Platform Services IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
(E)LTS report for April 2023
DLAs released: DLA-3402-1 wireshark CVE-2023-1161 CVE-2023-1992 CVE-2023-1993 CVE-2023-1994 DLA-3407-1 jackson-databind CVE-2020-10650 DLA-3408-1 jruby CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756 DLA-3409-1 libapache2-mod-auth-openidc CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVE-2023-28625 ELA released: ELA-839-1 wireshark/stretch CVE-2023-1161 CVE-2023-1992 CVE-2023-1993 CVE-2023-1994
Debian LTS report for April 2023
During the month of April 2023 and on behalf of Freexian, I worked on the following: * DLA-3410-1 for openvswitch=2.10.7+ds1-0+deb10u4 CVE-2023-1668 https://lists.debian.org/msgid-search/?m=ze8ep8fiq5ztl...@debian.org * Triage WordPress' outstanding CVEs and conclude no DLA is warranted at this time. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
(E)LTS report for April 2023
I've worked during April 2023 on the below listed packages, for Freexian LTS/ELTS [1] Many thanks to Freexian and our sponsors [2] for providing this opportunity! non-packaging = preparing "Forking repositories for the LTS namespace" LTS: intel-mircocode: DLA-3379-1 (paperwork, preparing the package was done in March) udisks2: DLA-3387-1, DLA-3387-2: CVE-2021-3802 zabbix: DLA-3390-1: CVE-2019-15132, CVE-2020-15803, CVE-2021-27927, CVE-2022-24349, CVE-2022-24917, CVE-2022-24919, CVE-2022-35229, CVE-2022-35230 ELTS: = syslog-ng: ELA-832-1 for stretch and jessie (CVE-2022-38725) libxml2: ELA-837-1 for stretch and jessie: CVE-2017-5130 CVE-2017-5969 CVE-2023-28484 CVE-2023-29469 [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors Cheers, -- tobi signature.asc Description: PGP signature
LTS report for April 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of April I worked on following packages for LTS: * mitmproxy - Total of 3 CVEs - Due to lot of code refactoring, marked 2 CVEs as ignored. * mruby - Total of 18 CVEs - Fixed 5 CVEs. Marked 5 as not affected for stretch - Again due lot of code refactoring rest of the CVEs are no-DSA - https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc * icingaweb2 - 10 CVEs - Fixed 3 CVEs. Marked 2 as not-affected for stretch - Asked upstream for more details and fixes for old vulnerabilities. - https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc Regards Abhijith -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJwYmsACgkQhj1N8u2c KO8LbQ/+Lr5AOWrmQ9Sy64bxsgUIzFTpF7pBWgWb0f+faOALOwi3ExXpem5dfXwX u57RpH42y2RaN86y8bNfHXG6C2TKSqFHF9Ao+zaoi4QRr9D715GANFZWm2zebxij yuPSAwUgfN3mrBT0djBSaSp6xnwPFunOxBXdAo/HbPbebQ9OF97aAM8cLXzr7xkW j3m6qQ+vNtDX6Y0kGgD7XD+ECWxYRXK9r/gjoffyqlivkOrk3GdLQRja95ZjCP4X aeCKEt8TWKk8wtjv0+QAMWKgrvZivLLogimD4h628ehwP9vhBkRp/BYraumzTTQL MOpIsj2qCQD44IyzlkXa6uA5gJjxmtfEX+KRfGSTcvRKl9TtoGkwPg4AyHvnHvc5 2zsVW56P3FXzVZAIwCSZZ27+e4PRwjFHx8473j8jjnsDCWnyiYIpcfX3SJQsvxf5 r4FAdGctl3DzrkGUOjjikdK5o1HgIPVphlMsRcY53X/X4BFpuqu31jO2bJdKzZk0 FnDAxdiuEWfu0d8MVniLU41kwU4+z1KGJt624l8Z3kPLrCK50FRnPShW6t7KNg3x a6Qldba5T6qOF3luQDLaeI+LfzKfxq0aXj+kMWQ2njaLmLBGMuI2FtA2meHilXHA NfAoA5xdMX2+kUoIjaRtT+i26vjevUfrS2IhCU+dFP7LPjm1h6g= =131E -END PGP SIGNATURE-
Re: LTS report for April 2021 - Abhijith PA
On 10/05/21 12:34 AM, Abhijith PA wrote: > March was my 38th month as a Debian LTS paid contributor. ^ Oops, April.
LTS report for April 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 March was my 38th month as a Debian LTS paid contributor. I was assigned 14 hours and I spent all of them for the following; * mediawiki: There were 8 CVEs reported. CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 CVE-2021-30159. Marked CVE-2021-30154 CVE-2021-30157 as not-affected and fixed rest. Uploaded and released [DLA 2648-1][1], [DLA 2648-2][2] regression update. * smarty3: Fixed a regression and uploaded [DLA 2618-2][3]. Thanks to Benjamin Renard for finding it. * samba: There were 9 CVEs including the no-dsa tagged ones. So far backported CVE-2019-10218 CVE-2019-14833 CVE-2019-14847 CVE-2019-14861 CVE-2019-14870. Continuing work on remaining fixes. Build available[4] for testing. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/05/msg3.html [2] - https://lists.debian.org/debian-lts-announce/2021/05/msg6.html [3] - https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html [4] - https://people.debian.org/~abhijith/upload/vda/samba_4.5.16+dfsg-1+deb9u4.dsc -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmCYMksACgkQhj1N8u2c KO8xkQ/9EuCjBRqU6Pz+5H732IsybV5Ypftxn1nvISLZe0W/VTDfjKuFdQGEJxQX qAkPbzrjKca+TPwd30NKNWM1K8EI0Y7GBsgkg1JHOCGzBFdaOj8Kv78qgKHFFVTg dSOsRRVUPnD8aR69lZXL5/EzaLJrbddLQlCcTSp3By28/0PydOyRasdLEnN9EMnY NWzCqCeuorPWWvHR50lZyWPXokzSfmXz8zb2qKjVAuAIOiJToNbh5b2rFx8HEufW AMb5seQQye6qrkIm4xtpAuDOTM8qaqU73C6qFa+6aFb+GmiFMTGGN53dkUaPdNS+ JVP8znRegfeyQ+MlLApBhyVStylS8hM4hPhrc7ybnPrmEbzYujdjOkQh030YsUp3 Ksx6vQTHbkGExPx/C4qOKzsmg6ycY1um3xtISIRWaxpkMbFladksb9dFOVDVRic/ wgRs1OI9V70+cxZa5ewvNsj59bRXOuOxCJS2rwXf4GiSb7XKuK4YfHXgtZfNCDYH Yzxa3BO+IjsDFR2jQnhBA5wh6IMju059O8gceZBqyEpqd7nFATkdlP5AK7lanvjw FytFd7SalN5PXWkPsdVcml2/NSVlSbsLcJtldwwAAnOqbnuG23Xx1qxv2Cvs74cN mtYUQEeJy/KprmqWmOFLAaio88fr0h3njr8ocaPHq/7bXyJwdrw= =SH1q -END PGP SIGNATURE-
(E)LTS report for April 2021
hi, in April 2021 I spent 10h managing (E)LTS contributors: - dispatch work hours for LTS and ELTS - prepare the monthly Freexian blog post published on raphaelhertzog.com - participate in the monthly team meeting on jitsi - mail and irc communication, incl. - semi-automatic unclaim packages - too many claimed packages - missing DLAs on www.d.o - onboarding Lynoure, explaining my work - onboarding Lee - front desk workflows -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
LTS report for April 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 April was my 26th month as a Debian LTS paid contributor.I was assigned 14 hours. I was only able to spent 10 hours. * apache-log4j2: Backporting CVE-2020-9488 needs backporting couple of java classes from upstream and is intrusive. Another fast mitigation upstream suggest is to set the system property mail.smtp.ssl.checkserveridentity to true to globally enable hostname verification. Thus marked it as no-dsa. * otrs2: Continued my work from last month on this package. A new CVE reported CVE-2020-1774. Uploaded with 3 CVEs fixed and 3 marked as no-dsa. DLA-2198-1[1] * mumble: Attempted to upgrade Jessie's version to 1.2.18. Unfortunately Stretch version is also vulnerable to DoS. I've written the current status here[2] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/05/msg0.html [2] - https://lists.debian.org/debian-lts/2020/05/msg8.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl63mqYACgkQhj1N8u2c KO9vVw/+NDapmJFYobndjq6ZJzpjy97HGxddbLM6CGNOLQJsO/TsqhVtA2TbdtFk SuVLh4aT8jwFZNewXutlN7uR2FTi5jeX+SlJc7HKTqarRhRAksPHj3onJstj5424 zwJlHDZfqzd+Er2cFjfLOVXYHJOMwdFRa7Y+/wW5HrsQcyt21wXa3ZKEq0SfiT4W uyJO7ZQJv60FNFarXLqovoNQ4fi3G4dbPSDJMw8rLzFb7/W7n3GaiuUBrhjts1JZ Dq8JR819/j544R4rjz96qqqx8Cyh6OJnMWjMy/4evMRjzFiZMGv/DzAWDkl+/Qap qfclgoBu/plRY1in+6morMaj7dgfd7NEKZWz3BOtlEpIIJE6QfsSaZJm8truHbwD IA8OCoE+vC8bH2x+odwse7OzB62a4rPuao5EMkuha96IZ/nkfjP+UgGKwHOM0bSU hlrI1pT38oBAbB875YONE5Tt3uCb1qG4fdZHvav6VRAerk/1mZicZKXdAul5etmJ 5vC6YJJDa8byJA1/KeyhjVQedFiWV0qgM/G27mCrzL1F3WUzFIhEa2qCM5jOFiI7 TOYj6P+fLRVYxNF9ZK249ke6BrFaZExTRr2BXRhFLudXEJC98DVepRvZFaNYmE+y VEYF5FpkdEo4QI2uogezihopQ0gZEUu/MLf9CKP6AmhcEdDfTCM= =fWNI -END PGP SIGNATURE-
(E)LTS report for April
Hi, During the month of April I spent 8h on LTS, preparing and testing the qemu update, and also starting with the openjdk-7 update. I will catch up on the remaining hours this month. For ELTS I spent 8.5h on frontdesk & triaging, finalising the firmware-nonfree update (fighting the python2/3 mismatch) and on the mysql-5.5 situation. Cheers, Emilio
LTS report for April 2019 - Abhijith PA (Slight correction)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 (Slight correction) April 2019 was my 15th month as a Debian LTS paid contributor. I was assigned 14 hours but I only able to do 4 hours. I will carry rest of the hours to next month. * mumble: I prepared 1.2.18[1] (version in stretch) for jessie. Tested with the PoC[2] and its still susceptible to attack, thus not uploaded. Thanks to Chris Knadle and DuckBoss for helping in testing. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mumble_1.2.18-1+deb8u1.dsc [2] - https://people.debian.org/~abhijith/upload/reproduce-3505.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlzWU1UACgkQhj1N8u2c KO/z4Q/+MXtNikK7rsbI2fbSOnrB+cfV+yUTibOZ2muJEXRPb8atLzeXZuO7hi6z jd2FuzSsIiV9UMmSlQ9xBzKsU4fRPai6dvGNR+YbDYAZBPyC1k+nVZ+xJcYmJGPj yV4L4WIwWuiA16TjFROwUpw3EJF1Qv+i60bcgpuYGAmnfxqAcaveuU7KriycLjIJ UHq5H0ruTH4/109AkLf5D106NnDDZ+lVfc8SIyoiBp0xwJT693WP9d/1P1GeSqaC ziKu+OFEABZ2pyw6nT3LON6VBj+vj5HNmz3G4tW6VarNm9ElhstxLhltGwYlyydx 5GIe6M+6VFgGIEEVbDL9X7vYcz03Cmmp3YE4IaJ0EffOYA1QW4Qncip9/FATyCcj pq8kVR0nKxrDLea7T+qlmf4PsJ2MPB/ouGp5tgCN3YxT7nQIUcepstGxOhEkCh+f hOC+iwxtG0bmXWcqCnWRfC9eceSj/7aQNUSr3jB/s/mADtUmvEwQtj5+bOWjc4/n VbYNu0Vqp4iVsha0CXhofF0xEPiE/FOh7iYGmDWwqIojTkfXwqVS2n4Dgadsi3TI guPyafRIrOxzAoLHz2l42QA6lBJQu0BwPWV1EtU8ncOTcTIs5hBdJSMl7XonB1MH dpvF52k4wJtv9ftWMTLACRSiE6vcRhWB9M0tDFVWDXlt3JwIack= =voeJ -END PGP SIGNATURE-
LTS report for April 2019 - Abhijith PA
March 2019 was my 14th month as a Debian LTS paid contributor. I was assigned 14 hours but I only able to do 4 hours. I will carry rest of the hours to next month. * mumble: I prepared 1.2.18[1] (version in stretch) for jessie. Tested with the PoC[2] and its still susceptible to attack, thus not uploaded. Thanks to Chris Knadle and DuckBoss for helping in testing. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mumble_1.2.18-1+deb8u1.dsc [2] - https://people.debian.org/~abhijith/upload/reproduce-3505.tar.xz
LTS report for April 2019
Hours worked: 8 hours Work done: DLA-1768-1 checkstyle CVE-2019-9658 Work on an update of libmatio is still ongoing. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
LTS report for April
Hi, My report for April is available: https://blog.beuc.net/posts/Debian_LTS_-_April_2019/ Cheers! Sylvain
LTS report for April
Hi, Last month I spent 11.5h on LTS as follows: - Updated OpenJDK 7 - Updated Perl - Updated LibreOffice - Updated MySQL 5.5 - Some triaging and investigations Cheers, Emilio
LTS Report for April 2018 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 April 2018 was my third month as a Debian LTS paid contributor. I was assigned 10 hours but I only able to do 5. I am carrying rest to May. I have spent these hours on; * sharutils: Investigated on CVE-2018-197 and marked wheezy version as not-affected. (Wheezy version has a buffer size for shell process input) * drupal7: Backported CVE-2018-7602 on the same day of upstream disclosure :). Thanks to Emilio Pozuelo Monfort for uploading. [1] * ocaml: Initially backported CVE-2018-9838 but later marked as no-dsa to follow Debian-security team. Regards, Abhijith PA [1] https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrsOtAACgkQhj1N8u2c KO9CeQ/9Fyr6avFpd7lGsT7mhjm1hKNKI68jvpuQ8MeS+D0DA5QEHC7WilUYfHRa VNAKwkgHcmX998pYxw6X7XloNoeivkxiNXA1J+yESjcWYuEQ5vHn92YuHwvEF5Cl 9nXy6ZHBsyIvZVdL/9MwVBhUSePVo7JLWfCEwM4IFY7tVNY43zX8xLzgZCjnhP1p N+K7Z/GPt0kb2Bx5a8QnUL5w+DneUDfbQfgb58qBp5/8UefkUUupqD0uKtiIB1G0 HnI9BHnl/JZihR5X/L0P/HB/JpOc9K7WaNXH7C+P/bu6q4R8ed2kLSnR4aVLrS5Z SC891Go3z8BmNakBcbnATZyaW1ajMTdoaGd8m5VlMuCbVgvupIJ8THY0hhQ1/TAa UXKQmyAiqY+nhiFHZiU1jZ1muSI+WxjCRF/wJScLJLH3KM1WG4663BI47wWQ7Xdb JzAEnbIcWYPtd8QIWBTxHOlc3ejLgcRsSL5Tm1M5wwSha5lZGKA5cUAt3sR9W+ax heoGRi2/9HoqOgnwweN4u+6cPU+lkZViAW8Ak3Yo56wXoU45HyyV2g548CPjSIs3 7PC7rg0s7RmGkoQYjmf0h0E7GSQv8SEe0ZjoeOp7gCRkWXKx7Ku0bjdHM8oFIqZN EhNVnvy+Ek81RpSGAVIS1VdmAVuZ09C3UCRwmv/LK8J1uOqY/sY= =w2ZU -END PGP SIGNATURE-
LTS Report for April 2018
For April I spent 7 hours on the following: - gcc-4.9: after the determination was made that backporting the retpoline patches to gcc-4.6 was infeasible, work began on backporting gcc-4.9 from jessie; I encountered issues beyond my expertise and Ben Hutchings took this over and completed the work - apache2: determined that three open CVEs did not apply to the wheezy version of apache2; worked on backporting patches for CVE-2017-15710, CVE-2018-1301, and CVE-2018-1312; the patch for CVE-2018-1312 has been problematic because of incompatible changes made upstream on the 2.4 branch and the fact that upstream security support for 2.2 ended last year (I anticipate completing this in the next day or two) I also had a surplus of hours which I gave back. Regards, -Roberto -- Roberto C. Sánchez
LTS Report for April 2017
For April I had 21 hours available. I spent 16.5 as follows: - samba: CVE-2017-2619: final package preparation, review, and upload - ghostscript: CVE-2017-8291: prepare, test, and upload package - imagemagick: begin review of latest batch of CVEs - icu: CVE-2017-7867, CVE-2017-7868: Assist Thorsten with investigation of test failure Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
LTS report for April
Hi, Last month I was allocated 16h and carried over 3.5h from the previous month. I spent 17.5h doing the following: - tzdata/libdatetime-timezone-perl: updated to 2017b. - libxslt: investigated issue, no-dsa. - firefox-esr: updated to 45.9.0esr - firefox-esr 52: sent patches to maintainers for wheezy support. - libvpx: continued work from previous month, ended up marking them no-dsa after discussing it with carnil - libreoffice: took over Balint/Rene's work, backported missing code and released update - chicken: released update - libcroco: released update - mysql-5.5: tested and sponsored updated package - batik: investigated issue, not much information at this point - briefly tested jasper update - rtmpdump: released update - freetype: released update - weechat: released update Cheers, Emilio