Posted on

My Debian Activities in December 2023

FTP master

This month I accepted 235 and rejected 13 packages. The overall number of packages that got accepted was 249. I also handled lots of RM bugs and almost stopped the increase in packages this month :-). Please be aware, if you don’t want your package to be removed, take care of it and keep it in good shape!

Debian LTS

This was my hundred-fourteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3686-1] xorg-server security update for two CVEs to fix privilege escalation
  • [DLA 3686-2] xorg-server security update for one CVE to really fix privilege escalation. Unfortunately the first patches provided by upstream did not really solve the problem, so here we are in round 2
  • [DLA 3699-1] libde265 security update for three CVEs to fix heap buffer or global buffer overflows
  • [DLA 3700-1] cjson security update for one CVE to fix a segmentation violation
  • [#1056934] Bookworm PU-bug for libde265; I could finally upload the package
  • [#1056737] Bookworm PU-bug for minizip; I could finally upload the package
  • [libde265]For the next round of CVEs of libde265 I prepared debdiffs for Bullseye and Bookworm and sent them to the maintainer.
  • [cjson]I prepared debdiffs for Bullseye and Bookworm and sent them to the maintainer.

This month was rather calm and no unexpected things happened. The web team now automatically creates all webpages from data found in the security tracker. So I could deactivate my web-dla script again which created the webpages from the contents of the announcement mailing list.

Last but not least I also did two weeks of frontdesk duties.

Debian ELTS

This month was the sixty-fifth ELTS month. During my allocated time I uploaded:

  • [ELA-1019-1]xorg-server security update for two CVEs to fix privilege escalation
  • [ELA-1019-2]xorg-server security update for to really fix privilege escalation. As with the DLAs above, the first patches provided by upstream did not really solve the problem, so here we are in round 2
  • [ELA 1027-1] libde265 security update for three CVEs in Stretch to fix heap buffer or global buffer overflows

Last but not least I also did two weeks of frontdesk duties.

Debian Printing

This month I uploaded a package to fix bugs:

  • cups/Bookworm to fix a bug related to color printing
  • hplip to fix a bug related to /usr-merge

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a package to fix bugs:

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Posted on

My Debian Activities in November 2023

FTP master

This month I accepted 276 and rejected 25 packages. The overall number of packages that got accepted was 276. I also handled several RM bugs, so the archive did not grow that much :-).

Debian LTS

This was my hundred-thirteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3670-1] minizip security update for one CVE to fix an integer overflow
  • [DLA 3673-1] gst-plugins-bad1.0 security update for one CVEs to fix an use-after-free
  • [#1056934] Bookworm PU-bug for libde265
  • [#1056935] Bullseye PU-bug for libde265
  • [#1056737] Bookworm PU-bug for minizip
  • [#1056738] Bullseye PU-bug for minizip
  • [libde265] sponsor upload to unstable
  • [zlib] all CVEs could be marked as not-affected

The update of libde265 was a bit unusual this time. The security tracker had three CVEs listed for it and the maintainer was looking for a sponsor to fix them in Unstable. So far, so good! I sponsored the upload and suddenly a fourth CVE appeared in the security tracker. As the debian/changelog mentioned a different CVE, it was automatically added. Indeed upstreams changelog contained a patch for a CVE that was reserved but not yet published (hence the security tracker could not connect it to libde265). I informed upstream and as things turned out marking the CVE as public was just forgotten. Luckily there was some time left for the upcoming point release and all four patches finally arrived in Bookworm.

Debian ELTS

This month was the sixty-fourth ELTS month. During my allocated time I uploaded:

  • [ELA-1004-1] libde265 update in Jessie and Stretch for three CVEs. The issues are related to segmentation faults and bufferf overflows in different functions, which might result in DoS.
  • [ELA-1006-1] libde265 update in Jessie and Stretch for one CVE. This issue is related to an buffer over read which might result in an information leak or denial of service when processing crafted H.265 files
  • [ELA-1010-1 ]minizip update in Stretch for one CVE. This issue was related to a heap-based buffer overflow.
  • [ELA-1015-1] gst-plugins-bad1.0 update in Jessie and Stretch for one CVEs to fix a use-after-free of some pointers within the MXF demuxer.

In order to check whether the patch for the standalone version of minizip was ok, I used a test from the embedded minizip version in chromium and it worked.

Debian Printing

This month I uploaded a new upstream version of:

Within the context of preserving old printing packages, I adopted:

If you know of any other package that is also needed and still maintained by the QA team, please tell me.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version of:

Debian IoT

This month I uploaded a new upstream version of:

Debian Mobcom

This month I uploaded a package to fix one or the other issue:

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Posted on

My Debian Activities in October 2023

FTP master

This month I accepted 361 and rejected 34 packages. The overall number of packages that got accepted was 362.

Debian LTS

This was my hundred-twelfth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3615-1] libcue security update for one CVE to fix an out-of-bounds array access
  • [DLA 3631-1] xorg-server security update for two CVEs. These were embargoed issues related to privilege escalation
  • [DLA 3633-1] gst-plugins-bad1.0 security update for three CVEs to fix possible DoS or arbitrary code execution when processing crafted media files.
  • [1052361]bookworm-pu: the upload has been done and processed for the point release
  • [1052363]bullseye-pu: the upload has been done and processed for the point release

Unfortunately upstream still could not resolve whether the patch for CVE-2023-42118 of libspf2 is valid, so no progress happened here.
I also continued to work on bind9 and try to understand why some tests fail.

Last but not least I did some days of frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the sixty-third ELTS month. During my allocated time I uploaded:

  • [ELA-978-1]cups update in Jessie and Stretch for two CVEs. One issue is related to missing boundary checks which might lead to code execution when using crafted postscript documents. The other issue is related to unauthorized access to recently printed documents.
  • [ELA-990-1]xorg-server update in Jessie and Stretch for two CVEs. These were embargoed issues related to privilege escalation.
  • [ELA-993-1]gst-plugins-bad1.0 update in Jessie and Stretch for three CVEs to fix possible DoS or arbitrary code execution when processing crafted media files.

I also continued to work on bind9 and as with the version in LTS, I try to understand why some tests fail.

Last but not least I did some days of frontdesk duties .

Debian Printing

This month I uploaded a new upstream version of:

Within the context of preserving old printing packages, I adopted:

If you know of any other package that is also needed and still maintained by the QA team, please tell me.

I also uploaded new upstream version of packages or uploaded a package to fix one or the other issue:

This work is generously funded by Freexian!

Debian Mobcom

This month I uploaded a package to fix one or the other issue:

  • osmo-pcu The bug was filed by Helmut and was related to /usr-merge

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Posted on

My Debian Activities in September 2023

FTP master

This month I accepted 437 and rejected 36 packages. The overall number of packages that got accepted was 437.

Debian LTS

This was my hundred-eleventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

During my allocated time I uploaded:

  • [DLA 3579-1] elfutils security update for one CVE
  • [DLA 3594-1] cups security update for two CVEs
  • [1052361]bookworm-pu: cups/2.4.2-3+deb12u2
  • [1052363]bullseye-pu: cups/2.3.3op2-3+deb11u4

I also started to work on bind9.

Last but not least I did some days of frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the sixty-second ELTS month. During my allocated time I uploaded:

  • [ELA-956-1]libssh2 update in Jessie and Stretch for one CVE
  • [ELA-962-1]elfutils update in Jessie and Stretch for one CVE
  • [ELA-966-1]openssl1.0 update in Stretch for two CVEs

I also prepared updates for cups but problems with the buildd delayed the release a few days until October. I also started to work on bind9.

Last but not least I did some days of frontdesk duties .

debian-astro

Finally I managed to upload a new upstream version of openvlbi.

debian-iot

I uploaded a new upstream version (1.16.0) of libjwt to experimental. Unfortunately one test failed and upstream is trying to fix this now. So you can try to build your packages with the version in experimental, but only the next release of libjwt will make it to unstable.

debian-printing

This month I uploaded new upstream versions or bug fixing versions of:

In an email to debian-devel I asked whether anybody is still using lpr/lpd. Oddly enough, these old packages are still useful:

  • Within a small network it is easier to distribute a printcap file, than to properly config cups clients.
  • One of the biggest manufacturers of WLAN router and DSL boxes only supports raw queues when attaching an USB printer to their hardware. Admittedly the CPDB still has problems with such raw queues.
  • The Pharos printing system at MIT is still lpd based.

As a result, the lpr/lpd stuff is not yet ready to be abandoned and I will adopt the relevant packages and move them under the umbrella of the debian-printing team. Though it is not planned to develop new features, those packages should at least have a maintainer. The first adopted package has been rlpr, an utility for lpd printing without using /etc/printcap. The next one in October will be lprng, a lpr/lpd printer spooling system. If you know of any other package that is also needed and still maintained by the QA team, please tell me.

This work is generously funded by Freexian!

Posted on

My Debian Activities in August 2023

FTP master

This month I accepted 347 and rejected 39 packages. The overall number of packages that got accepted was 349.

Debian LTS

This was my hundred-tenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

During my allocated time I uploaded:

  • [DLA 3548-1] qpdf security update for three CVEs
  • [DLA 3549-1] ring security update for 20 CVEs

The open CVE for ffmpeg was already fixed in a previous upload and could be marked as such.
I also started to work on amanda and did some work on security-master.

Last but not least I did some days of frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the sixty-first ELTS month. During my allocated time I uploaded:

  • [ELA-927-1]ffmpeg update in Stretch for one CVE
  • [ELA-932-1]openssl1.0 update in Stretch for eight CVEs

Yeah, finally openssl1.0 was uploaded!

I also started to work on amanda, but for whatever reason the package does not build in my chroot. Why do I always choose the packages with quirks?

Last but not least I did some days of frontdesk duties.

debian-printing

This month I tried to update package hplip. Unfortunately upstream added some new compressed files that need to appear uncompressed in the package. Even though this sounded like an easy task, which seemed to be already implemented in the current debian/rules, the new type of files broke this implementation and made the package no longer buildable. There is also an RC-bug waiting that needs some love. I still hope to upload the package soon.

This work is generously funded by Freexian!

Other stuff

Unfortunately $job demanded lots of attention this month, so I only uploaded:

Due to the recent license change of Hashicorp, I am no longer willing to spend time working on their products. I therefore filed RM-bugs for golang-github-hashicorp-go-gcp-common, golang-github-hashicorp-go-tfe, golang-github-hashicorp-go-slug and golang-github-hashicorp-terraform-json.
As there seemed to be others involved in golang-github-hashicorp-terraform-svchost and golang-github-hashicorp-go-azure-helpers, I only orphaned both packages.

I hope OpenTF will be successful!

Posted on

My Debian Activities in July 2023

FTP master

This month I accepted 408 and rejected 40 packages. The overall number of packages that got accepted was 412.

Debian LTS

This was my hundred-ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3505-1] gst-plugins-good1.0 security update for one CVE
  • [DLA 3503-1] gst-plugins-bad1.0 security update for one CVE
  • [DLA 3504-1] gst-plugins-base1.0 security update for one CVE
  • [#1039026] the pu upload of cups was finally accepted
  • [#1039862] the pu upload of cpdb-libs was finally accepted

I also continued my work on ring and did some work on security-master.

Last but not least I did some days of frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the sixtieth ELTS month.

  • [ELA-887-1] cups security update in Jessie and Stretch for on CVE
  • [ELA-898-1]gst-plugins-bad1.0 update in Jessie and Stretch for one CVE
  • [ELA-899-1]gst-plugins-base1.0 update in Jessie and Stretch for one CVE
  • [ELA-900-1]gst-plugins-good1.0 update in Jessie and Stretch for one CVE

Finally I found the problem with the openssl package. When starting to work on the package, it built fine without my patches. After applying some patches, the built suddenly failed, so I thought I did something wrong with the patches. At some point I found out that it weren’t my patches but a certificate, that was used for testing, expired. It was valid for 10 years and just when I worked on the package it expired. Now I just have to find out how to replace it…

Last but not least I did some days on frontdesk duties.

Debian Astro

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Other stuff

This month I did uploads of new packages:

Posted on

My Debian Activities in June 2023

FTP master

This month I accepted 221 and rejected 33 packages. The overall number of packages that got accepted was 221.

Yeah, Bookworm was released this month. Thanks a lot to everybody who was involved in doing this.

Debian LTS

This was my hundred-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3440-1] cups security update for one CVE (as the CVE was embargoed, most of the work was done in May but the upload happened in June)
  • [unstable] upload of cups 2.4.2-4 to fix CVE-2023-32324
  • [DLA 3461-1] libfastjson security update for one CVE
  • [DLA 3465-1] minidlna security update for one CVE
  • [DLA 3476-1] cups security update for one CVE
  • [unstable] upload of cups 2.4.2-5 to fix CVE-2023-34241
  • [#1039026] pu-bug for cups to fix CVE-2023-32324 and CVE-2023-34241 in Bookworm; upload was done as well
  • [#1039040] pu-bug for cups to fix CVE-2023-32324 and CVE-2023-34241 in Bullseye; upload was done as well

I also did some work on security-master to inject missing dependencies for some packages and processed NEW.

Last but not least I did some days on frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the fifty ninth ELTS month.

  • [ELA-860-1] cups security update in Jessie and Stretch for one CVE
  • [ELA-872-1] libfastjson security update in Stretch for one CVE
  • [ELA-887-1]cups security update in Jessie and Stretch for one CVE

I also made some progress with the openssl1.0 update.

Last but not least I did some days on frontdesk duties.

Debian Astro

This month I uploaded some packages to fix one or the other issue:

This month I even uploaded a new package c-munipack, which is more or less the successor of munipack, and can be used for example to analyse light curves of variable stars.
Another new package is virtualgps, where the name says it all.

Debian Printing

This month I did a security upload of cpdb-libs to fix a CVE in Unstable, Bookworm and Bullseye.
This work is generously funded by Freexian!

Debian Mobcom

This month I could upload a new version of:

Other stuff

This month I restarted DOPOM (Debian Orphaned Package Of the Month) and adopted:

Hopefully this will result in a new upload of vdr-plugin-live. I would like to have this package for my personal VDR.

I also did an upload of:

Posted on

My Debian Activities in May 2023

FTP master

This month I accepted 157 and rejected 22 packages. The overall number of packages that got accepted was 160.

Debian LTS

This was my hundred-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3430-1] cups-filters security update for one CVE
  • [DSA 5407-1] cups-filters security update for one CVE
  • [unstable] upload of cups-filters to fix CVE-2023-24805
  • [#1036548] unblock bug to fix CVE-2023-24805 in bookworm
  • [unstable] upload of sniproxy to fix CVE-2023-25076
  • [DSA 5413-1] sniproxy security update in Bullseye for one CVE
  • [cups] working to fix CVE-2023-32324 in unstable, Bookworm, Bullseye, Buster

The CVEs for cups-filters and cups have been embargoed ones, so the work for cups was done in May but the uploads happen in June.

I also did some work on security-master to inject missing dependencies for hugo and gitlab-workhose.

Last but not least I did some days on frontdesk duties.

Debian ELTS

This month was the fifty eighth ELTS month.

  • [ELA-852-1] cups-filters security update in Jessie and Stretch for one CVE
  • [ELA-856-1] freetype security update in Jessie and Stretch for two CVEs
  • [ELA-857-1] libtasn1-6 security update in Jessie and Stretch for one CVE
  • [cups] working to fix CVE-2023-32324 in Jessie and Stretch

The CVEs for cups-filters and cups have been embargoed ones, so the work for cups was done in May but the uploads happen in June.

Last but not least I did some days on frontdesk duties.

Debian Astro

This month I uploaded some packages to fix RC bugs, that were
detected by one of many QA tools:

Thanks a lot to all the hardworking people who run these tools!

Debian Printing

This month I could fix RC bugs in:

This work is generously funded by Freexian!

Debian Mobcom

This month I could fix RC bugs in:

Other stuff

Some other packages also had last minute RC bugs:

I even did an upload of a new package force-ip-protocol. I finally had enough of people using IPv6 for their hosts but are unable to configure it. Now I can force firefox, or whatever software, to only use IPv4. One nuisance settled.

Posted on

My Debian Activities in April 2023

FTP master

This month I accepted 103 and rejected 11 packages. The overall number of packages that got accepted was 103.

Debian LTS

This was my hundred-sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3405-1] libxml2 security update for two CVE
  • [DLA 3406-1] sniproxy security update for one CVE
  • [sniproxy] updates for Unstable + Bullseye prepared and debdiffs sent to maintainer
  • [1033759] pu-bug: duktape/bullseye uploaded and accepted
  • [1029976] pu-bug: libzen/bullseye uploaded and accepted

I also continued to work on ring in Buster and Bullseye, where some new CVEs appeared.

Debian ELTS

This month was the fifty seventh ELTS month.

Unfortunately I couldn’t use up all my allocated hours and I was only able to continue my work on openssl1.0. I plan to do an upload in May.

Debian Astro

Due to a change in numpy the planetary-system-stacker stopped working. I created a patch and uploaded a new package. Meanwhile it already arrived in testing and I could analyse some pictures of the sun again.

Other stuff

Looking at my notes, there is nothing to be reported here.

Posted on

My Debian Activities in March 2023

FTP master

This month I accepted 78 and rejected 12 packages. The overall number of packages that got accepted was 78.

I still love this calm and peaceful time now within the Debian project, when everybody only cares for RC bugs and NEW does not grow.

Debian LTS

This was my hundred-fifth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3358-1] mpv security update for one CVE
  • [DLA 3372-1] xorg-server embargoed security update for one CVE
  • [DLA 3374-1] libmicrohttpd security update for one CVE
  • [DLA 3378-1] duktape security update for one CVE
  • [1033759] pu-bug for duktape/bullseye

I also participated in the monthly LTS-meeting.

Last but not least I did some days of frontdesk duties and took care of issues on security-master.

Debian ELTS

This month was the fifty sixth ELTS month.

  • [ELA-821-1] xorg-server embargoed security update of Jessie and Stretch for one CVE
  • [ELA-824-1] libmicrohttpd security update of Jessie and Stretch for one CVE

The duktape update in Stretch is more complicated than expected and I could not finish it this month.

I also started to work on openssl1.0

Last but not least I did some days of frontdesk duties

Debian Printing

This month I uploaded new versions or improved packages of:

  • hplip (bug fixing)
  • cups (update translations)

The unblock bug for hplip was already processed, the unblock bug for cups is still waiting. Hopefully the last minute work of the translators was not wasted.

Parts of this work is generously funded by Freexian!

Other stuff

Looking at my notes, there is nothing to be reported here.