sunweaver's NET

In March 2019, I have worked on the Debian LTS project for 14 hours (of 10 hours planned plus 4 hours pulled over from February) and on the Debian ELTS project for another 2 hours (of originally planned 6 hours) as a paid contributor.

LTS Work

• CVE triaging (ntp, glib2.0, libjpeg-turbo, cron, otrs2, poppler)
• Sponsor upload to jessie-security (aka LTS): cron (DLA 1723-1 [1])
• Upload to jessie-security (aka LTS): openssh (DLA 1728-1 [2])
• Upload to jessie-security (aka LTS): libssh2 (DLA 1730-1 [3])
• Upload to jessie-security (aka LTS): libav (DLA 1740-1 [4])

ELTS Work

• Create .debdiff for cron src:pkg targetting wheezy (but I failed to build it due to two issues with Debian 10 as build machine)
• Discover and document that kernel boot parameter "vsyscall=emulate" is required for building wheezy packages on Debian 10. (See #844350 and #845942 for details).
• Bug hunt sbuild bug #926161 in sbuild 0.78.1-1 [5]

References

• [1] https://lists.debian.org/debian-lts-announce/2019/03/msg00025.html
• [2] https://lists.debian.org/debian-lts-announce/2019/03/msg00030.html
• [3] https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
• [4] https://lists.debian.org/debian-lts-announce/2019/03/msg00041.html
• [5] https://bugs.debian.org/926161

Today, I talked to Christoph. He is from a local, rather new intiative here in Nothern Germany:

     Picknick im Funkloch

(Picnic in the Dead Zone).

We discussed how DAS-NETZWERKTEAM (my FLOSS business) can support that initiative on the technical level (we will start with mailing lists).

The Picnic in the Dead Zone initiative aims at making people more aware of possible health and social consequences that may be caused by the upcoming 5G mobile standard reaching 90%-plus coverage.

Personally, I know individual people who are (highly) sensitive to electro-magnetic radiation and fields (they can tell you if wireless network is on or off, tell you which access point where in the house is on or off, can differentiate between WiFi and PoweLAN, etc.). For people with such a sensitivity it is crucial to have spots in the country they want to live in, where electro-magnetic radiation is at a minimum level. Mobile connectivity does not work for everyone. Hyper-sensitive people suffer from it, in fact.

@all-the-Germans: Currently, there is an ePetition waiting for (maybe your) signature(s) on the German Bundestag's ePetition home page. The signing deadline is pretty close: 4th April 2019.

In February 2019, I have worked on the Debian LTS project for 6 hours (of originally planned 10 hours) and on the Debian ELTS project for another 6 hours as a paid contributor. The non-worked 4 LTS hours I will carry over into March 2019.

LTS Work

• Upload and announce FreeRDP security fixes and RDP v6 / CredSSP v3 proto updates (DLA-1666-1 [1])

ELTS + LTS Work (shared hours)

• Chew on OpenSSH security fixes. Esp. CVE-2019-6111 caused me headaches with the final result that the said fix for CVE-2019-6111 did not fix it entirely. See Debian bug #923486 [2].

CVE-2019-6111 has already been amended fully now in Debian unstable's and stable's version of OpenSSH. For jessie LTS a fixed version will be provided within the next couple of days.

References

• https://lists.debian.org/debian-lts-announce/2019/02/msg00015.html
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923486

Believe it or not, I just upgraded my old Drupal 6 instances serving e.g. my blog [1] to Drupal 6 LTS v6.49.

Thanks a lot to Elliot Christenson for continuing Drupal 6 security support. See [2] for more information about Drupal 6 LTS support provided by his company.

[1] https://sunweavers.net/blog
[2] https://www.mydropwizard.com/blog

In January 2019, I have worked on the Debian LTS project for 10 hours and on the Debian ELTS project for 2 hours (of originally planned 6 + 1 hours) as a paid contributor. The non-worked 5 ELTS hours I have given back to the pool of available work hours.

LTS Work

• Fix one CVE issue in sssd (DLA-1635-1 [1]).
• Fix five CVE issues in libjpeg-turbo (DLA 1638-1 [2]).
• Fix some more CVE issues in libav (DLA-1654-1 [3]).
• FreeRDP: patch rebasing and cleanup.
• FreeRDP: Testing the proposed uploads, sending out a request for testing [4], provide build previews, some more patch work.
• Give feedback to the Debian stable release team on the planned FreeRDP 1.1 uploads to Debian jessie LTS and Debian stretch.
• Some little bit of CVE triaging during my LTS frontdesk week (a very quiet week it seemed to me)

The new FreeRDP versions have been uploaded at the beginning of February 2019 (I will mention that properly in my next month's LTS work summary, but you may already want to take a glimnpse at DLA-1666-1 [5]).

ELTS Work

• Start working on OpenSSH security issues currently effecting Debian wheezy ELTS (and also Debian jessie LTS).

The pressing and urgent fixes for OpenSSH will be uploaded during the coming week.

Thanks to all LTS/ELTS sponsors for making these projects possible.

light+love

All family members (including myself) are healthy and well, so I am sitting on my yearly train to Belgium. Looking forward to meeting many of you there.

light+love
Mike

The MATE desktop environment in Debian will be the first desktop environment in Debian that has (still basic) support for detecting its graphical context (esp. detecting, if it is run inside a remote session).

With the packages mate-panel 1.20.4-2 and mate-screensaver 1.20.3-3, two new (preview) features entered Debian recently.

RDA in MATE's panel

If MATE is running inside an X2Go session, the MATE panel will (a) hide the "System" menu's shutdown menu item from users and (b) offer a menu item that allows users to suspend (disconnect) the X2Go session. See upstream PR #824 [1]. More integrations may come, patches welcome.

RDA in MATE's screensaver

Same with MATE's screensaver. If the MATE screensaver locks a MATE session running inside X2Go, it will offer a [ Disconnect X2Go ] button in the screensaver unlock dialog. See upstream PR #159.

While working on this code, I noticed another flaw in MATE screensaver that looks like a variant of CVE-2018-20681 [2]. MATE's screensaver reveals the desktop session's content when (a) resuming a suspend session and (non-critical IMHO, resuming requires user auth) or (b) when resizing the X2Go session window (critical, resizing requires local access to the X2Go client host only).

Recently, Bernhard Miklautz, Martin Fleisz and myself have been working on old FreeRDP code. Our goal was, to get FreeRDP in Debian jessie LTS and Debian stretch working again against recent Microsoft RDP servers.

It has been done now.

Context

In Debian LTS, we were discussing a complex update of the freerdp (v1.1) package. That was before X-mas.

The status of FreeRDP v1.1 (jessie/stretch) then was and still is:

• Since March 2018 freerdp in stretch (and jessie) (Git snapshot of never released v1.1) has been unusable against latest Microsoft Windows servers. All MS Windows OS versions switched to RDP proto version 6 plus CredSSP version 3 and the freerdp versions in Debian jessie/stretch do not support that, yet.
• For people using Debian stretch, the only viable work-around is using freerdp2 from stretch-backports.
• People using Debian jessie LTS don't have any options (except from upgrading to stretch and using freerdp2 from stretch-bpo).
• Currently, we know of four unfixed no-DSA CVE issues in freerdp (v1.1) (that are fixed in buster's freerdp2).

With my Debian LTS contributor hat on, I have started working on the open freerdp CVE issues (whose backported fixes luckily appeared in a Ubuntu security update, so not much work on this side) and ...

... I have started backporting the required patches (at least these: [0a,0b,0c]) to get RDP proto version 6 working in Debian jessie's and Debian stretch's freerdp v1.1 version.

In December 2018, I have worked on the Debian LTS project for 21 hours and on the Debian ELTS project for 5 hours as a paid contributor. The originally planned 11 LTS hours (one hour carried over from November) had been extended to 21 hours. Of the originally planned 6 ELTS hours I carry over one hour to January 2019.

LTS Work

• Fix several CVE issues in libav (DLA-1611-1 [1a] and DLA-1611-2 [1b]).
• Fix the Magellan vulnerability in sqlite3 (DLA-1631-1 [2]).
• Regression fix of poppler (DLA-1562-3 [3])
• Involve FreeRDP upstream into fixing FreeRDP v1.1 in Debian jessie (esp. big thanks to Bernhard Miklautz for giving feedback).
• Port FreeRDP CVE fixes over from Ubuntu [4].
• Backport RDP v6 proto code and CredSSP v3 code from FreeRDP upstream commits to Debian jessie's (and stretch's) FreeRDP v1.1 [5].
• An upload of a fixed FreeRDP v1.1 (both jessie and stretch) can be expected for January 2019. This work will be co-ordinated with the Debian stable release team [6] (feedback is still pending).

ELTS Work

• Setup test and build environment for Debian wheezy ELTS.
• Give feedback on problems when installing Debian wheezy from scratch (although this makes rarely sense for most scenarious, it might help future ELTS developers).
• Research on the Magellan vulnerability in Debian wheezy's sqlite3 [7] and request a second pair of eyes to look at sqlite3 in Debian wheezy (it might not be affected by it). The sqlite3 fix for Debian jessie (DLA-1613-1 [2]) was a zero-extra-effort outcome of this research.

In November 2018, I have worked on the Debian LTS project for nine hours as a paid contributor. Of the originally planned twelve hours (four of them carried over from October) I gave two hours back to the pool of available work hours and carry one hour over to December.

For November, I also signed up for four hours of ELTS work, but had to realize that at the end of the month, I hadn't even set up a test environment for Debian wheezy ELTS, so I gave these four hours back to the "pool". I have started getting an overview of the ELTS workflow now and will start fixing packages in December.

So, here is my list of work accomplished for Debian LTS in November 2018:

• Regression upload of poppler (DLA 1562-2 [1]), updating the fix for CVE-2018-16646
• Research on Saltstack salt regarding CVE-2018-15750 and CVE-2018-15751. Unfortunately, there was no reference in the upstream Git repository to the commit(s) that actually fixed those issues. Finally, it turned out that the REST netapi code that is affected by the named CVEs was added between upstream release 2014.1.13 and 2014.7(.0). As Debian jessie ships salt's upstream release 2014.1.13, I concluded that salt in jessie is not affected by the named CVEs.
• Last week I joined Markus Koschany with triaging a plentitude of libav issues that have/had status "undetermined" for Debian jessie. I was able to triage 21 issues, of which 15 have applicable patches. Three issues have patches that don't apply cleanly and need manual work. One issue only is valid to ffmpeg, but not to libav.