Debian LTS/ELTS
This was my hundred-forty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.
During my allocated time I uploaded or worked on:
- [DLA 4580-1] exim4 security update to fix one CVE related to remote code execution.
- [DLA 4591-1] rsync security update to fix five CVEs related to local root privilege escalation.
- [#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie; the debdiff was confirmed and the upload was accepted to the proposed update queue.
- [#1126167] bookworm-pu upload of zvbi has been flagged for acceptance
- [#1126273] bookworm-pu upload of taglib has been flagged for acceptance
- [#1126370] bookworm-pu upload of libuev has been flagged for acceptance
- [hplip] upload to sid to fix two CVEs.
This was a rather strange month. The details about the embargoed exim4 issue arrived only after I already went to bed and the embargo lift was 18 hours later. Luckily Stretch was not really affected and the uploads for Bullseye and Buster went out on time.
Something similar happened with the embargoed issue of rsync. The info arrived at 8:00 in the morning and the embargo lift was on 2:00 next morning. From an Europeans point of view, the Australians do have strange time zones. But there is more to this than that. Upstream sent more than 50(!) patches for these five CVEs that needed a backport to Bullseye. As things turned out, there is a regression in the upload to Unstable and investigations are ongoing whether this regression is also available in the backported patches for Trixie, Bookworm and Bullseye. So rsync-updates for Buster and Stretch is in the works, but I am afraid they need some more time.
All good things come by threes. Two critical CVEs of hplip appeared and a new upstream version was released by HP. HP is no longer interested in working with distributions and over time more than 80 patches have been accumulated that need a rebase for a new upstream version. For that reason I avoid this package as much as I can, but two critical CVEs did apply some kind of pressure on the maintainer. So I finally managed to do this update and the latest version of hplip is now in Debian. Nevertheless, this feels good :-). Anyway, it is not over yet. HP does not have a public repository nor do they publish patches for these CVEs. So I am still searching for the correct fixes to backport them to Bullseye, Buster and Stretch. The other distributions have the same problem and a silver lining appears on the horizon.
I also prepared an update of gimp for Buster and Stretch, but due to an accident I only managed to release the corresponing ELA in June. The accident was also the reason for only half a week of FD. Thanks to Daniel who took over.
Debian Printing
This month I uploaded a new upstream versions:
- … lprng to unstable.
- … epson-inkjet-printer-escpr to unstable.
- … hplip to unstable.
This work is generously funded by Freexian!
Debian Lomiri
This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.
This work is generously funded by Fre(i)e Software GmbH!
Debian Astro
This month I uploaded a new upstream version or a bugfix version of:
- … supernovas to unstable (sponsored upload).
- … virtualgps to unstable.
- … nautic to unstable.
Debian IoT
This month I uploaded a new upstream version or a bugfix version of:
- … pyicloud to unstable.
misc
This month I uploaded a new upstream version or a bugfix version of:
- … visam to unstable.
- … tntdb to unstable.
- … ae56 to unstable.
- … texify to unstable.
- … chktex to unstable.
- … ta-lib to unstable.
I also got rid of gypsy, which no longer makes sense to maintain in Debian, as gpsd is way better.