My Debian Activities in November 2023

FTP master

This month I accepted 276 and rejected 25 packages. The overall number of packages that got accepted was 276. I also handled several RM bugs, so the archive did not grow that much :-).

Debian LTS

This was my hundred-thirteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

• [DLA 3670-1] minizip security update for one CVE to fix an integer overflow
• [DLA 3673-1] gst-plugins-bad1.0 security update for one CVEs to fix an use-after-free
• [#1056934] Bookworm PU-bug for libde265
• [#1056935] Bullseye PU-bug for libde265
• [#1056737] Bookworm PU-bug for minizip
• [#1056738] Bullseye PU-bug for minizip
• [libde265] sponsor upload to unstable
• [zlib] all CVEs could be marked as not-affected

The update of libde265 was a bit unusual this time. The security tracker had three CVEs listed for it and the maintainer was looking for a sponsor to fix them in Unstable. So far, so good! I sponsored the upload and suddenly a fourth CVE appeared in the security tracker. As the debian/changelog mentioned a different CVE, it was automatically added. Indeed upstreams changelog contained a patch for a CVE that was reserved but not yet published (hence the security tracker could not connect it to libde265). I informed upstream and as things turned out marking the CVE as public was just forgotten. Luckily there was some time left for the upcoming point release and all four patches finally arrived in Bookworm.

Debian ELTS

This month was the sixty-fourth ELTS month. During my allocated time I uploaded:

• [ELA-1004-1] libde265 update in Jessie and Stretch for three CVEs. The issues are related to segmentation faults and bufferf overflows in different functions, which might result in DoS.
• [ELA-1006-1] libde265 update in Jessie and Stretch for one CVE. This issue is related to an buffer over read which might result in an information leak or denial of service when processing crafted H.265 files
• [ELA-1010-1 ]minizip update in Stretch for one CVE. This issue was related to a heap-based buffer overflow.
• [ELA-1015-1] gst-plugins-bad1.0 update in Jessie and Stretch for one CVEs to fix a use-after-free of some pointers within the MXF demuxer.

In order to check whether the patch for the standalone version of minizip was ok, I used a test from the embedded minizip version in chromium and it worked.

Debian Printing

This month I uploaded a new upstream version of:

• … ptouch-driver
  

Within the context of preserving old printing packages, I adopted:

• … tink
  
• … mtink
  

If you know of any other package that is also needed and still maintained by the QA team, please tell me.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version of:

• … libahp-xc

Debian IoT

This month I uploaded a new upstream version of:

• … pywws

Debian Mobcom

This month I uploaded a package to fix one or the other issue:

• … libsmpp34
• … osmo-libasn1c

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

• … golang-github-gin-contrib-static
  
• … golang-github-gin-contrib-gzip
  
• … golang-github-gin-contrib-cors
• … hcloud-cli
• … harminv
• … gnupg-pkcs11-scd
• … dateutils
• … nuspell
• … liburjtag