sunweaver's NET

In December 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

LTS Work

• Triage 14 packages during my frontdesk week (tomcat7, tomcat8, lout, apache-log4j1.2, x2goclient (libssh regression), nethack, nethack, cyrus-sasl2, php5, libjpeg-turbo, transfig, ruby-rack, ruby-excon)
• Upload to jessie-security: cyrus-sasl2 (DLA-2044-1 [1]), 1 CVE
• Deeply dive into tightvnc CVE issue hunting and help matching various CVEs between src:libvncserver and src:tightvnc, digging out patches, etc.
• Upload to jessie-security: tightvnc (DLA-2045-1 [2]), 9 CVEs
• Upload to jessie-security: x2goclient (DLA-2038-2 [7]) (fixing a regression caused by a recent libssh security upload; see DLA_2038-1 / CVE-2019-14889) [3]
• Ping DLange and ggings about getting the libssh regression regarding x2goclient fixed in Ubuntu (LTS) [4]
• Ping the release team on security update status regarding CVE-2019-14889/libssh (bundled with an X2Go Client update) for stretch + buster.
• NMU-upload (to DELAYED/10) tightvnc targetting Debian unstable [5]. Waiting for the former maintainer to ACK the NMU or re-do it himself.

In November 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

For LTS, I, in fact, pulled over 1.7 hours from October, so I realy only did 13.3 hours for LTS in November.

(This is only half-true, I worked a considerable amount of hours on this libvncserver code bundle audit, but I am just not invoicing all of it).

LTS Work

• Triage jhead, libapache2-mod-auth-openidc, mailutils, python-psutil, ruby-rack-cors during (actually one day after, in coordination with Thorsten Alteholz) my first LTS frontdesk week this month.
• Triage asterisk, gnome-font-viewer, gnome-sushi, libjackson-json-java, proftpd-dfsg during my second week at LTS frontdesk this month.

In October 2019, I have worked on the Debian LTS project for 11.75 hours (of 11.75 hours planned) and on the Debian ELTS project for 0 hours (of 5 hours planned) as a paid contributor. I have given back those 5 ELTS hours to the pool.

LTS Work

• Work on a pre-OpenSSL-1.0.2 patch, adding hostname validation support to imapfilter as found in Debian jessie (built against OpenSSL 1.0.1t) [1]
• File a Github PR against imapfilter upstream that got OpenSSL versioned #ifdef'ed code sections straight [2]
• upload imapfilter 2.5.2-2+deb8u1 to jessie-security (DLA-1976-1 [3], 1 CVE)
• upload libvncserver 0.9.9+dfsg2+deb8u6 to jessie-security (DLA-1977-1 [4], 1 CVE)
• do a security audit of libvncserver-derived packages in Debian [5]
• upload italc 1:2.0.2+dfsg1-2+deb8u1 to jessie-security (DLA-1979-1 [6], 21 CVEs)

In fact, preparing the italc security upload needed more time (an extra of 1.7h) than available for my LTS work in October. In my mind, I will move over these 1.7h to November and invoice them then.

In November, I plan to follow-up on the VNC security audit and prepare several VNC related package uploads to Debian jessie LTS.

Over the past month I worked on re-scripting the installation process of a Debian Edu system (minimal installation profile and workstation installation profile for now) by utilizing FAI [1].

My goal on this is to get the Debian Edu FAI config space into Debian bullseye (as package: debian-edu-fai) and provide an easy setup method for the FAI installation server on an existing Debian Edu site.

Note: I do not intend to bootstrap a complete Debian Edu site via FAI. The use case is: get your Debian Edu main server up and running, add host faiserver.intern and install all your site's client systems via this FAI installation server.

Debian Edu Installation Methods (until today)

Currently, we only have a D-I based installation method (over PXE or ISO image) at hand with several disadvantages:

• requires interaction
• not really customizable
• comparingly slow (now that I have seen FAI do these things)

All of the above problems can be solved by installing Debian Edu via a FAI configuration.

Debian Edu Installation via FAI ( This rocks so much!!! )

As you may guess, but I need to repeat the above (because I am so excited about it), here are the advantages of installing Debian Edu via FAI:

• Debian Edu installation via FAI is incredibly fast
• Customization: drop in some more files into the FAI config space and you have a customized setup.

In September 2019, I have worked on the Debian LTS project for 11 hours (of 12 hours planned) and on the Debian ELTS project for another 2 hours (of 12 hours planned) as a paid contributor. I have given back the 10 ELTS hours, but will keep the 1 LTS hour and move it over to October. As I will be gone on family vacation during two weeks of Octobre I have reduced my workload for the coming months accordingly (10 hours LTS, 5 hours ELTS).

LTS Work

• Patch review on qemu (regarding DLA-1927-1)
• Perform regression tests on previous LTS uploads of 389-ds-base (see [1,2] for results/statements)
• Upload netty 3.2.6.Final-2+deb8u1 to jessie-security (DLA-1941-1 [3]), fixing 1 CVE
• Triage nghttp2, probably not affected by CVE-2019-9511 and CVE-2019-9513. The code base is really different around the passages where the fixing patches have been applied by upstream. I left a comment in dla-needed.txt plus asked for a second opinion. [4]
• Go over all 2019 LTS announcements in the webwml.git repository and ping LTS team members (including myself) on missing webwml DLAs.
• Upload phpbb3 3.0.12-5+deb8u4 to jessie-security (DLA-1942-1 [5]), fixing 1 (or 2) CVE(s). Regarding the phpbb3 upload, Sylvain Beucler and I are currently discussing [6] whether CVE-2019-13376 got actually fixed with this upload or not.

From one of my customers, I received the request to figure out an installation pathway for ActivInspire, the Promethean smart board software suite. ActivInspire is offered as DEB builds for Ubuntu 18.04. On a Debian 10 (aka buster) system the installation requires some hack-around (utilizing packages from Debian jessie LTS).

Here is the quick-n-dirty recipe:

APT Key for "Promethean Ltd <support@prometheanworld.com>"

The APT key you need for downloading packages from Promethean's package archive can be obtained like this:

$ gpg --search-keys 0x300035F2484C6FED
$ gpg --export -a 0x300035F2484C6FED | sudo apt-key add -

Afterwards, you should find the key added to APT's GnuPG keyring. Verify that:

$ sudo apt-key adv --fingerprint D3CDA26CC37F568DD4A8DE68300035F2484C6FED
Executing: /tmp/user/0/apt-key-gpghome.HMo8gCMGUG/gpg.1.sh --fingerprint D3CDA26CC37F568DD4A8DE68300035F2484C6FED
pub   rsa4096 2017-03-02 [SC]
      D3CD A26C C37F 568D D4A8  DE68 3000 35F2 484C 6FED
uid        [ unbekannt ] PrometheanLtd <support@prometheanworld.com>
sub   rsa4096 2017-03-02 [E]

Tweak APT's Installation Sources

Next, add the below lines to a new file called /etc/apt/sources.list.d/promethean.list. The software will require to grab some packages (e.g.

Over the past weekend I attended "X2Go - The Gathering 2019". This year's venue was LinuxHotel in Essen. It was good to come back here.

Things that I got DONE while at the Gathering

X2Go related topics I worked on...

• Three informal talks about:
  • the new/alternative X2Go Kdrive graphics backend for X2Go
  • status report of my work on the X2Go Plugin for Remmina
  • brain storming session: accessing X2Go sessions from a web browser
• Get Ubuntu Gnome Desktops (from 18.04 or later) working in X2Go (with X2Go Kdrive backend being used)
• Hide color manager authentication dialog on session startup of Gnome-based sessions in X2Go by nastily tweaking colord's policy kit rule set
• Discuss various issues around nx-libs with Ulrich Sibiller and Mihai Moldovan
• Discuss Free Software and Civil Administration with Heinz-M. Graesing
• Discuss Free Software solutions for schools with Heinz-M.

"IServ Schulserver" [1] is a commercial school server developed by a company in Braunschweig, Germany. The "IServ Schulserver" is a product based on Debian. The whole project started as a students' project.

The "IServ" is an insular school server (one machine for everything + backup server) that provides a web portal / communication platform for the school (reachable from the internet), manages the school's MS Windows® clients via OPSI [2] and provides other features like chatrooms, mail accounts, etc.

The "IServ Schulserver" has written quite a success story in various areas of Germany, recently. IServ has been deployed at many many schools in Northrhein-Westfalia, Lower Saxony and Schleswig-Holstein. You can easily find those schools on the internet, if you search the web for "IServ IDesk".

The company that is developing "IServ" has various IT partner businesses all over Germany that deploy the IServ environment at local schools and are also the first point of contact for support.

It's all hear-say...

So, last night, I heard about a security design flaw not having been fixed / addressed since I had first heard about it. That was in 2014, when one of the Debian Edu schools I supported back then migrated over to IServ. At that time, the below could be confirmed. Last night, I learned that the following is still an issue on an IServ machine deployed recently here in Schleswig-Holstein (its deployment dates only a few weeks back). It's all hear-say, you know.

In August 2019, I have worked on the Debian LTS project for 24 hours (of 24.75 hours planned) and on the Debian ELTS project for another 2 hours (of 12 hours planned) as a paid contributor.

LTS Work

• Upload fusiondirectory 1.0.8.2-5+deb8u2 to jessie-security (1 CVE, DLA 1875-1 [1])
• Upload gosa 2.7.4+reloaded2+deb8u4 to jessie-security (1 CVE, DLA 1876-1 [2])
• Upload gosa 2.7.4+reloaded2+deb8u5 to jessie-security (1 CVE, DLA 1905-1 [3])
• Upload libav 6:11.12-1~deb8u8 to jessie-security (5 CVEs, DLA 1907-1 [4])
• Investigate on CVE-2019-13627 (libgcrypt20). Upstream patch applies, build succeeds, but some tests fail. More work required on this.
• Triage 14 packages with my LTS frontdesk hat on during the last week of August
• Do a second pair of eyes review on changes uploaded with dovecot 1:2.2.13-12~deb8u7
• File a merge request against security-tracker [5], add --minor option to contact-maintainers script.

ELTS Work

• Investigate on CVE-2019-13627 (libgcrypt11). More work needed to assess if libgrypt11 in wheezy is affected by CVE-2019-13627.

References

• [1] https://lists.debian.org/debian-lts-announce/2019/08/msg00008.html
• [2] https://lists.debian.org/debian-lts-announce/2019/08/msg00009.html
• [3] https://lists.debian.org/debian-lts-announce/2019/08/msg00039.html
• [4] https://lists.debian.org/debian-lts-announce/2019/09/msg00000.html
• [5] https://salsa.debian.org/security-tracker-team/security-tracker/merge_re...

Long time not blogged about, however, there is a new release of nx-libs: nx-libs 3.5.99.22.

What is nx-libs?

The nx-libs team maintains a software originally developed by NoMachine under the name nx-X11 (version 3) or shorter: NXv3. For years now, a small team of volunteers is continually improving, fixing and maintaining the code base (after some major and radical cleanups) of NXv3. NXv3 aka x2goagent has been the only graphical backend in X2Go [0], a remote desktop framework for Linux terminal servers, over the past years.

(Spoiler: in the near future, there will be two graphical backends for X2Go sessions, if you got curious... stay tuned...).

Credits

You may have noticed, that I skipped announcing several releases of nx-libs. All interim releases should have had their own announcements, indeed, as each of them deserved it. So I am sorry and I dearly apologize for not mentioning all the details of each individual release. I am sorry for not giving credits to the team of developers around me who do pretty hard work on keeping this beast intact.

The more, let me here here and now especially give credits to Ulrich Sibiller, Mihai Moldovan and Mario Trangoni for keeping the torch burning and for actually having achieved awesome results in each of the recent nx-libs releases over the past year or so. Thanks, folks!!!

Luckily, Mihai Moldovan (X2Go Release Manager) wrote regular release announcements for every version of nx-libs that he pulled over to the X2Go Git site and the X2Go upstream-DEBs archive site [1].