In December 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.
LTS Work
- Triage 14 packages during my frontdesk week (tomcat7, tomcat8, lout, apache-log4j1.2, x2goclient (libssh regression), nethack, nethack, cyrus-sasl2, php5, libjpeg-turbo, transfig, ruby-rack, ruby-excon)
- Upload to jessie-security: cyrus-sasl2 (DLA-2044-1 [1]), 1 CVE
- Deeply dive into tightvnc CVE issue hunting and help matching various CVEs between src:libvncserver and src:tightvnc, digging out patches, etc.
- Upload to jessie-security: tightvnc (DLA-2045-1 [2]), 9 CVEs
- Upload to jessie-security: x2goclient (DLA-2038-2 [7]) (fixing a regression caused by a recent libssh security upload; see DLA_2038-1 / CVE-2019-14889) [3]
- Ping DLange and ggings about getting the libssh regression regarding x2goclient fixed in Ubuntu (LTS) [4]
- Ping the release team on security update status regarding CVE-2019-14889/libssh (bundled with an X2Go Client update) for stretch + buster.
- NMU-upload (to DELAYED/10) tightvnc targetting Debian unstable [5]. Waiting for the former maintainer to ACK the NMU or re-do it himself. As tightvnc has been open for adoption for years now, I have started considering taking over QA maintenance under the umbrella of the Debian Remote Maintainers team.
- Re-schedule tightvnc NMU-upload to DELAYED/0 after maintainer's ACK.
- Prepare tightvnc security uploads for stretch + buster (waiting for the recent upload to arrive in unstable).
ELTS Work
- Upload to wheezy-security: cyrus-sasl2 (ELA-203-1 [5]), 1 CVE
- Start backport two patches for tomcat7 (CVE-2019-12418 and CVE-2019-17563) and hand them over to the team's mailing list for continuation by another team member (because hours had been used up and I would have needed a second opinion anyway)
Other security related work for Debian
- Upload to buster(-pu): libvncserver 0.9.11+dfsg-1.3+deb10u1, 1 CVE, two other patches
- Upload to stretch(-pu): libvncserver 0.9.11+dfsg-1.3~deb9u2, 1 CVE, two other patches
- Upload to buster(-pu): atril 1.20.3-1+deb10u1, 1 CVE, one other patch
- Upload to buster(-pu): freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1, 1 CVE
- Upload to experimental: libjpeg-turbo 1:2.0.3-1~exp1, 1 CVE (plus update security tracker about other CVEs fixed in experimental)
Updates (2019-12-22):
- Add info about DLA-2038-2 for x2goclient upload to jessie LTS
- Add section about other security related work in Debian related to my LTS work
- Add info about rescheduled NMU of tightvnc/unstable.
References
- [1] https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html
- [2] https://lists.debian.org/debian-lts-announce/2019/12/msg00028.html
- [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129
- [4] https://bugs.launchpad.net/ubuntu/+source/x2goclient/+bug/1856795
- [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947133
- [6] https://deb.freexian.com/extended-lts/updates/ela-203-1-cyrus-sasl2/
- [7] https://lists.debian.org/debian-lts-announce/2019/12/msg00029.html