Posted on

My Debian Activities in November 2023

FTP master

This month I accepted 276 and rejected 25 packages. The overall number of packages that got accepted was 276. I also handled several RM bugs, so the archive did not grow that much :-).

Debian LTS

This was my hundred-thirteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3670-1] minizip security update for one CVE to fix an integer overflow
  • [DLA 3673-1] gst-plugins-bad1.0 security update for one CVEs to fix an use-after-free
  • [#1056934] Bookworm PU-bug for libde265
  • [#1056935] Bullseye PU-bug for libde265
  • [#1056737] Bookworm PU-bug for minizip
  • [#1056738] Bullseye PU-bug for minizip
  • [libde265] sponsor upload to unstable
  • [zlib] all CVEs could be marked as not-affected

The update of libde265 was a bit unusual this time. The security tracker had three CVEs listed for it and the maintainer was looking for a sponsor to fix them in Unstable. So far, so good! I sponsored the upload and suddenly a fourth CVE appeared in the security tracker. As the debian/changelog mentioned a different CVE, it was automatically added. Indeed upstreams changelog contained a patch for a CVE that was reserved but not yet published (hence the security tracker could not connect it to libde265). I informed upstream and as things turned out marking the CVE as public was just forgotten. Luckily there was some time left for the upcoming point release and all four patches finally arrived in Bookworm.

Debian ELTS

This month was the sixty-fourth ELTS month. During my allocated time I uploaded:

  • [ELA-1004-1] libde265 update in Jessie and Stretch for three CVEs. The issues are related to segmentation faults and bufferf overflows in different functions, which might result in DoS.
  • [ELA-1006-1] libde265 update in Jessie and Stretch for one CVE. This issue is related to an buffer over read which might result in an information leak or denial of service when processing crafted H.265 files
  • [ELA-1010-1 ]minizip update in Stretch for one CVE. This issue was related to a heap-based buffer overflow.
  • [ELA-1015-1] gst-plugins-bad1.0 update in Jessie and Stretch for one CVEs to fix a use-after-free of some pointers within the MXF demuxer.

In order to check whether the patch for the standalone version of minizip was ok, I used a test from the embedded minizip version in chromium and it worked.

Debian Printing

This month I uploaded a new upstream version of:

Within the context of preserving old printing packages, I adopted:

If you know of any other package that is also needed and still maintained by the QA team, please tell me.

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a new upstream version of:

Debian IoT

This month I uploaded a new upstream version of:

Debian Mobcom

This month I uploaded a package to fix one or the other issue:

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Posted on

My Debian Activities in October 2023

FTP master

This month I accepted 361 and rejected 34 packages. The overall number of packages that got accepted was 362.

Debian LTS

This was my hundred-twelfth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3615-1] libcue security update for one CVE to fix an out-of-bounds array access
  • [DLA 3631-1] xorg-server security update for two CVEs. These were embargoed issues related to privilege escalation
  • [DLA 3633-1] gst-plugins-bad1.0 security update for three CVEs to fix possible DoS or arbitrary code execution when processing crafted media files.
  • [1052361]bookworm-pu: the upload has been done and processed for the point release
  • [1052363]bullseye-pu: the upload has been done and processed for the point release

Unfortunately upstream still could not resolve whether the patch for CVE-2023-42118 of libspf2 is valid, so no progress happened here.
I also continued to work on bind9 and try to understand why some tests fail.

Last but not least I did some days of frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the sixty-third ELTS month. During my allocated time I uploaded:

  • [ELA-978-1]cups update in Jessie and Stretch for two CVEs. One issue is related to missing boundary checks which might lead to code execution when using crafted postscript documents. The other issue is related to unauthorized access to recently printed documents.
  • [ELA-990-1]xorg-server update in Jessie and Stretch for two CVEs. These were embargoed issues related to privilege escalation.
  • [ELA-993-1]gst-plugins-bad1.0 update in Jessie and Stretch for three CVEs to fix possible DoS or arbitrary code execution when processing crafted media files.

I also continued to work on bind9 and as with the version in LTS, I try to understand why some tests fail.

Last but not least I did some days of frontdesk duties .

Debian Printing

This month I uploaded a new upstream version of:

Within the context of preserving old printing packages, I adopted:

If you know of any other package that is also needed and still maintained by the QA team, please tell me.

I also uploaded new upstream version of packages or uploaded a package to fix one or the other issue:

This work is generously funded by Freexian!

Debian Mobcom

This month I uploaded a package to fix one or the other issue:

  • osmo-pcu The bug was filed by Helmut and was related to /usr-merge

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

Posted on

My Debian Activities in June 2023

FTP master

This month I accepted 221 and rejected 33 packages. The overall number of packages that got accepted was 221.

Yeah, Bookworm was released this month. Thanks a lot to everybody who was involved in doing this.

Debian LTS

This was my hundred-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3440-1] cups security update for one CVE (as the CVE was embargoed, most of the work was done in May but the upload happened in June)
  • [unstable] upload of cups 2.4.2-4 to fix CVE-2023-32324
  • [DLA 3461-1] libfastjson security update for one CVE
  • [DLA 3465-1] minidlna security update for one CVE
  • [DLA 3476-1] cups security update for one CVE
  • [unstable] upload of cups 2.4.2-5 to fix CVE-2023-34241
  • [#1039026] pu-bug for cups to fix CVE-2023-32324 and CVE-2023-34241 in Bookworm; upload was done as well
  • [#1039040] pu-bug for cups to fix CVE-2023-32324 and CVE-2023-34241 in Bullseye; upload was done as well

I also did some work on security-master to inject missing dependencies for some packages and processed NEW.

Last but not least I did some days on frontdesk duties and took part in the LTS meeting.

Debian ELTS

This month was the fifty ninth ELTS month.

  • [ELA-860-1] cups security update in Jessie and Stretch for one CVE
  • [ELA-872-1] libfastjson security update in Stretch for one CVE
  • [ELA-887-1]cups security update in Jessie and Stretch for one CVE

I also made some progress with the openssl1.0 update.

Last but not least I did some days on frontdesk duties.

Debian Astro

This month I uploaded some packages to fix one or the other issue:

This month I even uploaded a new package c-munipack, which is more or less the successor of munipack, and can be used for example to analyse light curves of variable stars.
Another new package is virtualgps, where the name says it all.

Debian Printing

This month I did a security upload of cpdb-libs to fix a CVE in Unstable, Bookworm and Bullseye.
This work is generously funded by Freexian!

Debian Mobcom

This month I could upload a new version of:

Other stuff

This month I restarted DOPOM (Debian Orphaned Package Of the Month) and adopted:

Hopefully this will result in a new upload of vdr-plugin-live. I would like to have this package for my personal VDR.

I also did an upload of:

Posted on

My Debian Activities in May 2023

FTP master

This month I accepted 157 and rejected 22 packages. The overall number of packages that got accepted was 160.

Debian LTS

This was my hundred-seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3430-1] cups-filters security update for one CVE
  • [DSA 5407-1] cups-filters security update for one CVE
  • [unstable] upload of cups-filters to fix CVE-2023-24805
  • [#1036548] unblock bug to fix CVE-2023-24805 in bookworm
  • [unstable] upload of sniproxy to fix CVE-2023-25076
  • [DSA 5413-1] sniproxy security update in Bullseye for one CVE
  • [cups] working to fix CVE-2023-32324 in unstable, Bookworm, Bullseye, Buster

The CVEs for cups-filters and cups have been embargoed ones, so the work for cups was done in May but the uploads happen in June.

I also did some work on security-master to inject missing dependencies for hugo and gitlab-workhose.

Last but not least I did some days on frontdesk duties.

Debian ELTS

This month was the fifty eighth ELTS month.

  • [ELA-852-1] cups-filters security update in Jessie and Stretch for one CVE
  • [ELA-856-1] freetype security update in Jessie and Stretch for two CVEs
  • [ELA-857-1] libtasn1-6 security update in Jessie and Stretch for one CVE
  • [cups] working to fix CVE-2023-32324 in Jessie and Stretch

The CVEs for cups-filters and cups have been embargoed ones, so the work for cups was done in May but the uploads happen in June.

Last but not least I did some days on frontdesk duties.

Debian Astro

This month I uploaded some packages to fix RC bugs, that were
detected by one of many QA tools:

Thanks a lot to all the hardworking people who run these tools!

Debian Printing

This month I could fix RC bugs in:

This work is generously funded by Freexian!

Debian Mobcom

This month I could fix RC bugs in:

Other stuff

Some other packages also had last minute RC bugs:

I even did an upload of a new package force-ip-protocol. I finally had enough of people using IPv6 for their hosts but are unable to configure it. Now I can force firefox, or whatever software, to only use IPv4. One nuisance settled.

Posted on

My Debian Activities in December 2022

FTP master

This month I accepted 276 and rejected 27 packages. The overall number of packages that got accepted was 288.

Debian LTS

This was my hundred-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h but due to Christmas I managed only to do 10h.

During that time I uploaded:

  • [DLA 3256-1] xorg-server security update for six CVEs
  • [DLA 3255-1] mplayer security update for ten CVEs

Debian ELTS

This month was the fifty third ELTS month.

During my allocated time I marked all CVEs of the multipath-tools as not-affected and started to work on another snapd update. As I spend more time than expected with my family, I also failed to accomplish my ELTS workload.

Last but not least I did some days of frontdesk duties.

Debian Astro

This month I uploaded improved packages or new versions of:

I also updated almost all of the about 50 indi-3rdparty packages.

Debian Mobcom

This month I uploaded improved packages of:

Debian IoT

This month I uploaded improved packages of:

Debian Printing

This month I uploaded improved packages of:

Other stuff

This month I uploaded improved packages of:

Further I uploaded new versions of a bunch of golang packages.

Posted on

My Debian Activities in November 2022

FTP master

This month I accepted 292 and rejected 43 packages. The overall number of packages that got accepted was 295.

Debian LTS

This was my hundred-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. 

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3200-1] graphicsmagick security update for one CVE
  • [DLA 3201-1] ntfs-3g security update for one CVE
  • [inetutils]found unfixed CVE in latest DLA

I also started to work on ring, but this seems to be a pile of work. Not least because at the moment the package does not migrate to testing.

Further I started to investigate what packages are really affected by CVE-2018-17942. It looks like some upstreams and their corresponding maintainers did not care about that CVE in the embedded gnulib.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the fifty second ELTS month.

During my allocated time I uploaded:

  • [ELA-736-1] ntfs-3g security update of Jessie and Stretch for one CVE
  • [ELA-745-1] snapd security update of Jessie for two CVEs
  • [ELA-746-1] inetutils security update of Jessie for two CVEs

Last but not least I did some days of frontdesk duties.

Debian Mobcom

This month I uploaded improved packages of:

Other stuff

This month I uploaded improved packages of:

Posted on

My Debian Activities in October 2022

FTP master

This month I accepted 484 and rejected 55 packages. The overall number of packages that got accepted was 492.

Debian LTS

This was my hundredth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.  Woohoo, There is a party. (yes I am old). Unfortunately there are already 101 completed month listed in the debian-lts-announce archive, so I seem to have counted wrong once. *sigh*, yes I am old.

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3168-1] openvswitch security update for one CVE
  • [DLA 3167-1] ncurses security update for one CVE
  • [#1020596] bullseye-pu: mod-wsgi/4.7.1-3+deb11u1 upload
  • [graphicsmagick] debdiff for Bullseye sent to security team (update as DLA or via PU?)
  • [graphicsmagick] prepared upload for Buster
  • [libvncserver] debdiff for Buster and Bullseye sent to maintainer (no upload yet :-()

I also started to work on virglrenderer.

Last but not least I took care of NEW packages on security-master.

Debian ELTS

This month was the fifty first ELTS month.

During my allocated time I uploaded:

  • [ELA-719-1] graphicsmagick security update of Jessie and Stretch for one CVE
  • [ELA-720-1] bluez security update of Jessie and Stretch for three CVEs
  • marked two CVEs of curl as not-affected for Jessie and Stretch
  • checked that all patches for dpdk need to be backported, unfortunately that was beyond my capabilities

I also started to work on snapd.

Last but not least I finally managed to become familiar with the git workflow and imported several packages to the salsa repository.

Debian Astro

This month I uploaded new upstream versions or improved packaging of:

I also uploaded a new package pysqm. This software supports the Sky Quality Meters made by Unihedron. I was kindly given an SQM-LU for USB and SQM-LE with network adapter. I plan to put a working Python3 version of the old PySQM software into Debian, package the UDM (Unihedron Device Manager) and finally check the support within Indi.

Debian IoT

This month I uploaded new upstream versions or improved packaging of:

Debian Mobcom

This month I finished the transition of the Osmocom packages, except
osmo-mgw and osmo-msc seem to have problems. I have no idea how I can solve this, so help is appreciated.

Other stuff

This month I uploaded new packages:

Posted on

My Debian Activities in September 2022

FTP master

This month I accepted 226 and rejected 33 packages. The overall number of packages that got accepted was 232.

All in all I addressed about 60 RM-bugs and either simply removed the package or added a moreinfo tag. In total I spent 5 hours for this task.

Anyway, I have to repeat my comment from last month: please have a look at the removal page and check whether the created dak command is really what you wanted. It would also help if you check the reverse dependencies and write a comment whether they are important or can be ignored or also file a new bug for them. Each removal must have one bug!

Debian LTS

This was my ninety-ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 14h.

During that time I uploaded:

  • [DLA 3111-1] mod-wsgi security update for one CVE
  • [#1020596] bullseye-pu: mod-wsgi/4.7.1-3+deb11u1
  • [DLA 3119-1] expat security update for one CVE
  • [DLA 3125-1] libvncserver security update for two CVEs
  • [DLA 3126-1] libsndfile security update for one CVE
  • [DLA 3127-1] libhttp-daemon-perl security update for one CVE
  • [DLA 3130-1] tinyxml security update for one CVE

I also started to work on frr.

Last but not least I did some days of frontdesk duties and took care of issues on security-master.

Debian ELTS

This month was the fiftieth ELTS month.

During my allocated time I uploaded:

  • [ELA-685-1] ntfs-3g security update of Stretch for eight CVE
  • [ELA-686-1] expat security update of Jessie and Stretch for one CVE
  • [ELA-690-1] libvncserver security update of Stretch for one CVE

Last but not least I did some days of frontdesk duties.

Debian Printing

This month I uploaded new upstream versions or improved packaging of:

Debian IoT

This month I uploaded new upstream versions or improved packaging of:

Debian Mobcom

This month I started another upload session for new upstrea versions:

Other stuff

This month I uploaded new packages:

Posted on

My Debian Activities in August 2020

FTP master

This month I accepted 159 packages and rejected 16. The overall number of packages that got accepted was 172.

Debian LTS

This was my seventy-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 21.75h. During that time I did LTS uploads of:

  • [DLA 2336-1] firejail security update for two CVEs
  • [DLA 2337-1] python2.7 security update for nine CVEs
  • [DLA 2353-1] bacula security update for one CVE
  • [DLA 2354-1] ndpi security update for one CVE
  • [DLA 2355-1] bind9 security update for two CVEs
  • [DLA 2359-1] xorg-server security update for five CVEs

I also started to work on curl but did not upload a fixed version yet. As usual, testing the package takes up some time.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty sixth ELTS month.

During my allocated time I uploaded:

  • ELA-265-1 for python2.7
  • ELA-270-1 for bind9
  • ELA-272-1 for xorg-server

Like in LTS, I also started to work on curl and encountered the same problems as in LTS above.

Last but not least I did some days of frontdesk duties.

Other stuff

This month I found again some time for other Debian work and uploaded packages to fix bugs, mainly around gcc10:

I also uploaded new upstream versions of:

All package called *osmo* are developed by the Osmocom project, that is about Open Source MObile COMmunication. They are really doing a great job and I apologize that my uploads of new versions are mostly far behind their development.

Some of the uploads are related to new packages:

Posted on

My Debian Activities in March 2020

FTP master

This month I accepted 156 packages and rejected 26. The overall number of packages that got accepted was 203.

Debian LTS

This was my sixty ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2156-1] e2fsprogs security update for one CVE
  • [DLA 2157-1] weechat security update for three CVEs
  • [DLA 2160-1] php5 security update for two CVEs
  • [DLA 2164-1] gst-plugins-bad0.10 security update for four CVEs
  • [DLA 2165-1] apng2gif security update for one CVE

Also my work on graphicsmagic was accepted which resulted in:

  • [DSA 4640-1] graphicsmagick security update in Buster and Strech for 16 CVEs

Further I sent debdiffs of weechat/stretch, weechat/buster, e2fsprogs/stretch to the corresponding maintainers but got no feedback yet.

As there have been lots of no-dsa-CVEs accumulated for wireshark, I started to work on them but could not upload yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty first ELTS month.

During my really allocated time I uploaded:

  • ELA-218-1 for e2fsprogs
  • ELA-220-1 for php5
  • ELA-221-1 for nss

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and the discussions within Debian did not stop. Nonetheless I got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ocf-spec-core
  • … theme-d-gnome

Sorry to all people who also requested sponsoring, but sometimes things happen and your upload might be delayed.

I uploaded new upstream versions of …

On my Go challenge I uploaded:
golang-github-dreamitgetit-statuscake, golang-github-ensighten-udnssdk, golang-github-apparentlymart-go-dump, golang-github-suapapa-go-eddystone, golang-github-joyent-gosdc, golang-github-nrdcg-goinwx, golang-github-bmatcuk-doublestar, golang-github-go-xorm-core, golang-github-svanharmelen-jsonapi, golang-github-goji-httpauth, golang-github-phpdave11-gofpdi