My Free Software Activities in October 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Python 3 ports: I reviewed and sponsored krank and solarwolf for Reiner Herrmann. Thanks to his diligent work two more Python games were ported to Python 3. He also packaged a new upstream release of hyperrogue and improved the build system. Less memory is required to build hyperrogue now and some buildd are thankful for that.
  • The bullet transition got finally approved and completed successfully.
  • I uploaded a new version of pygame-sdl2 to experimental which supports Python 3 now. However the library is still exclusively needed for renpy but upstream hasn’t finished the porting work to Python 3 yet. Hopefully this will be done next year. That means the new version of renpy which I also packaged this month still depends on Python 2.
  • I fixed two bugs in Freeciv, the famous strategy game, by replacing fonts-noto-cjk with fonts-unfonts-core. (#934588) The latter fonts looks apparently better on ordinary screens. The second one was simple to fix, I just had to remove an unneeded Python 2 build-dependency. (#936553)
  • The strategy game asc, a neat clone of Battle Isle 2, also needed some attention this month. I had to replace libwxgtk3.0-dev with libwxgtk3.0-gtk3-dev. (#943439)
  • I did a QA upload of open-invaders because the maintainer email address was bouncing. The game needs a new maintainer.

Debian Java

Misc

  • I packaged a new version of privacybadger, and backported ublock-origin  to Stretch and Buster because the addon was incompatible with the latest Firefox ESR release.

Debian LTS

This was my 44. month as a paid contributor and I have been paid to work 22,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 14.10.2019 until 20.10.2019 and from 28.10.2019 until 03.11.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in wordpress, ncurses, opencv, pillow, poppler, golang, gdal, lz4, python-reportlab, ruby-haml, vips, rdesktop, modsecurity-crs, zabbix, polarssl and tika.
  • DLA-1960-1. Issued a security update for wordpress fixing 7 CVE.
  • DLA-1966-1. Issued a security update for aspell fixing 1 CVE.
  • DLA-1973-1. Issued a security update for libxslt fixing 1 CVE.
  • DLA-1978-1. Issued a security update for python-ecdsa fixing 2 CVE.
  • DLA-1982-1. Issued a security update for openafs fixing 2 CVE.
  • I triaged 17 CVE in libgig and forwarded the result upstream. After the investigation I decided to mark these issues as no-dsa because all in all the security risk was low. (#931309)

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my seventeenth month and I have been assigned to work 15 hours on ELTS plus five hours from September. I used 8 of them for the following:

  • ELA-185-1. Issued a security update for libxslt fixing 1 CVE.
  • ELA-186-1. Issued a security update for libssh2 fixing 1 CVE.
  • ELA-187-1. Issued a security update for cpio fixing 1 CVE. The update was prepared by Ola Lundqvist.
  • ELA-188-1. Issued a security update for djvulibre fixing 1 CVE.
  • I worked on OpenJDK 7. I contacted upstream and asked for a new IcedTea release on which we rely for packaging new upstream releases of OpenJDK. The release is still delayed.

My Free Software Activities in September 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Reiner Herrmann investigated a build failure of supertuxkart on several architectures and prepared an update to link against libatomic. I reviewed and sponsored the new revision which allowed supertuxkart 1.0 to migrate to testing.
  • Python 3 ports: Reiner also ported bouncy, a game for small kids, to Python3 which I reviewed and uploaded to unstable.
  • Myself upgraded atomix to version 3.34.0 as requested although it is unlikely that you will find a major difference to the previous version.

Debian Java

Misc

  • I packaged new upstream releases of ublock-origin and privacybadger, two popular Firefox/Chromium addons and
  • packaged a new upstream release of wabt, the WebAssembly Binary Toolkit.

Debian LTS

This was my 43. month as a paid contributor and I have been paid to work 23,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 11.09.2019 until 15.09.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in libonig, bird, curl, openssl, wpa, httpie, asterisk, wireshark and libsixel.
  • DLA-1922-1. Issued a security update for wpa fixing 1 CVE.
  • DLA-1932-1. Issued a security update for openssl fixing 2 CVE.
  • DLA-1900-2. Issued a regression update for apache fixing 1 CVE.
  • DLA-1943-1. Issued a security update for jackson-databind fixing 4 CVE.
  • DLA-1954-1. Issued a security update for lucene-solr fixing 1 CVE. I triaged CVE-2019-12401 and marked Jessie as not-affected because we use the system libraries of woodstox in Debian.
  • DLA-1955-1. Issued a security update for tcpdump fixing 24 CVE by backporting the latest upstream release to Jessie. I discovered several test failures but after more investigation I came to the conclusion that the test cases were simply created with a newer version of libpcap which causes the test failures with Jessie’s older version.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my sixteenth month and I have been assigned to work 15 hours on ELTS plus five hours from August. I used 15 of them for the following:

  • I was in charge of our ELTS frontdesk from 30.09.2019 until 06.10.2019 and I triaged CVE in tcpdump. There were no reports of other security vulnerabilities for supported packages in this week.
  • ELA-163-1. Issued a security update for curl fixing 1 CVE.
  • ELA-171-1. Issued a security update for openssl fixing 2 CVE.
  • ELA-172-1. Issued a security update for linux fixing 23 CVE.
  • ELA-174-1. Issued a security update for tcpdump fixing 24 CVE.

My Free Software Activities in August 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

Debian Java

Misc

  • I fixed two minor CVE in binaryen, a compiler and toolchain infrastructure library for WebAssembly, by packaging the latest upstream release.

Debian LTS

This was my 42. month as a paid contributor and I have been paid to work 21,75 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 12.8.2019 until 18.08.2019 and from 09.09.2019 until 10.09.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in kde4libs, apache2, nodejs-mysql, pdfresurrect, nginx, mongodb, nova, radare2, flask, bundler, giflib, ansible, zabbix, salt, imapfilter, opensc and sqlite3.
  • DLA-1886-2. Issued a regression update for openjdk-7. The regression was caused by the removal of several classes in rt.jar by upstream. Since Debian never shipped the SunEC security provider SSL connections based on elliptic curve algorithms could not be established anymore. The problem was solved by building sunec.jar and its native library libsunec.so from source. An update of the nss source package was required too which resolved a five year old bug. (#750400).
  • DLA-1900-1. Issued a security update for apache2 fixing 2 CVE, three more CVE did not affect the version in Jessie.
  • DLA-1914-1. Issued a security update for icedtea-web fixing 3 CVE.
  • I have been working on a backport of opensc, a set of libraries and utilities to access smart cards that support cryptographic operations, from Stretch which will fix more than a dozen CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my fifteenth month and I have been assigned to work 15 hours on ELTS of which I used 10 of them.

  •  I was in charge of our ELTS frontdesk from 26.08.2019 until 01.09.2019 and I triaged CVE in dovecot, libcommons-compress-java, clamav, ghostscript, gosa as end-of-life because security support for them has ended in Wheezy. There were no new issues for supported packages. All in all this was a rather unspectacular week.
  • ELA-156-1. Issued a security update for linux fixing 9 CVE.
  • ELA-154-2. Issued a regression update for openjdk-7 and nss because the removed classes in rt.jar caused the same issues in Wheezy too.

Thanks for reading and see you next time.

My Free Software Activities in July 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

DebConf 19 in Curitiba

I have been attending DebConf 19 in Curitiba, Brazil from 16.7.2019 to 28.7.2019. I gave two talks about games in Debian and the Long Term Support project, together with Hugo Lefeuvre, Chris Lamb and Holger Levsen. Especially the Games talk had some immediate positive impact. In response to it Reiner Herrmann and Giovanni Mascellani provided patches for release critical bugs related to GCC-9 and the Python 2 removal and we could already fix some of the more important problems for our current release cycle.
I had a lot of fun in Brazil and again met a couple of new and interesting people.  Thanks to all who helped organizing DebConf 19 and made it the great event it was!

Debian Games

  • We are back in business which means packaging new upstream versions of popular games. I packaged new versions of atomix, dreamchess and pygame-sdl2,
  • uploaded minetest 5.0.1 to unstable and backported it later to buster-backports,
  • uploaded new versions of freeorion and warzone2100 to Buster,
  • fixed bug #931415 in freeciv and #925866 in xteddy,
  • became the new uploader of enemylines7.
  • I reviewed and sponsored patches from Reiner Herrmann to port several games to python3-pygame including whichwayisup, funnyboat and monsterz,
  • from Giovanni Mascellani ember and enemylines7.

Debian Java

  • I packaged new upstream versions of robocode, jboss-modules, jboss-jdeparser2, wildfly-common, commons-dbcp2, jboss-logging-tools, jboss-logmanager, libpdfbox2.java, jboss-logging, jboss-xnio, libjide-oss-java,  sweethome3d, sweethome3d-furniture, pdfsam, libsambox-java, libsejda-java, jackson-jr, jackson-dataformat-xml, libsmali-java and apktool.

Misc

  • I updated the popular Firefox/Chromium addons ublock-origin, https-everywhere and privacybadger and also packaged new upstream versions of wabt and binaryen which are both required for building webassembly files from source.

Debian LTS

This was my 41. month as a paid contributor and I have been paid to work 18,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • DLA-1854-1. Issued a security update for libonig fixing 1 CVE.
  • DLA-1860-1. Issued a security update for libxslt fixing 4 CVE.
  • DLA-1846-2. Issued a regression update for unzip to address a Firefox build failure.
  • DLA-1873-1. Issued a security update for proftpd-dfsg fixing 1 CVE.
  • DLA-1886-1. Issued a security update for openjdk-7 fixing 4 CVE.
  • DLA-1890-1. Issued a security update for kde4libs fixing 1 CVE.
  • DLA-1891-1. Reviewed and sponsored a security update for openldap fixing 2 CVE prepared by Ryan Tandy.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my fourteenth month and I have been paid to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 15.07.2019 until 21.07.2019 and I triaged CVE in openjdk7, libxslt, libonig, php5, wireshark, python2.7, libsdl1.2, patch, suricata and libssh2.
  • ELA-143-1. Issued a security update for libonig fixing 1 CVE.
  • ELA-145-1.  Issued a security update for libxslt fixing 2 CVE.
  • ELA-151-1. Issued a security update for linux fixing 3 CVE.
  • ELA-154-1. Issued a security update for openjdk-7 fixing 4 CVE.

Thanks for reading and see you next time.

My Free Software Activities in June 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
First of all I want to thank Debian’s Release Team. Whenever there was something to unblock for Buster, I always got feedback within hours and in almost all cases the package could just migrate to testing. Good communication and clear rules helped a lot to make the whole freeze a great experience.

Debian Games

  • I reviewed and sponsored a couple of packages again this month.
  • Reiner Herrmann provided a complete overhaul of xbill, so that we all can fight those Wingdows Viruses again.
  • He also prepared a new upstream release of Supertuxkart, which is currently sitting in experimental but will hopefully be uploaded to unstable within the next days.
  • Bernhard Übelacker fixed two annoying bugs in Freeorion (#930417) and Warzone2100 (#930942).  Unfortunately it was too late to include the fixes for Debian 10 in time but I will prepare an update for the next point release.
  • Well, the freeze is over now (hooray) and I intend to upgrade a couple of games in the warm (if you live in the northern hemisphere) month of July again .

Debian Java

  • I prepared another security update for jackson-databind to fix CVE-2019-12814 and CVE-2019-12384 (#930750).
  • I worked on a security update for Tomcat 8 but have not finished it yet.

Debian LTS

This was my fortieth month as a paid contributor and I have been paid to work 17 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 10.06.2019 until 16.06.2019 and from 24.06.2019 until 30.06.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in wordpress, ansible, libqb, radare2, lemonldap-ng, irssi, libapache2-mod-auth-mellon and openjpeg2.
  • DLA-1827-1. Issued a security update for gvfs fixing 1 CVE.
  • DLA-1831-1. Issued a security update for jackson-databind fixing 2 CVE.
  • DLA-1822-1. Issued a security update for php-horde-form fixing 1 CVE.
  • DLA-1839-1. Issued a security update for expat fixing 1 CVE.
  • DLA-1845-1.  Issued a security update for dosbox fixing 2 CVE.
  • DLA-1846-1.  Issued a security update for unzip fixing 1 CVE.
  • DLA-1851-1. Issued a security update for openjpeg2 fixing 2 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my thirteenth month and I have been paid to work 22 hours on ELTS (15 hours were allocated + 7 hours from last month).

  • ELA-133-1. Issued a security update for linux fixing 9 CVE.
  • ELA-137-1. Issued a security update for libvirt fixing 1 CVE.
  • ELA-139-1. Issued a security update for bash fixing 1 CVE.
  • ELA-140-1. Issued a security update for glib2.0 fixing 3 CVE.
  • ELA-141-1. Issued a security update for unzip fixing 1 CVE.
  • ELA-142-1. Issued a security update for libxslt fixing 2 CVE.

Thanks for reading and see you next time.

My Free Software Activities in May 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Like in previous release cycles I published a new version of debian-games at the end to incorporate the latest archive changes. Unfortunately, Netbeans, the Java IDE, cuyo and holdingnuts didn’t make it and I demoted them to Suggests.
  • A longstanding graphical issue (#871223) was resolved in Neverball where stars in goal points were displayed as squares. As usual something (OpenGL-related?) must have changed somewhere but in the end the installation of some missing png files made the difference. How it worked without them before remains a mystery.
  • I sponsored two uploads which were later unblocked for Buster. Bernat reported a crash in etw, a football simulation game ported from the AMIGA. Fortunately Steinar H. Gunderson could provide a patch quickly. (#928240)
  • A rebuild of marsshooter, a great looking space shooter with an awesome soundtrack, may have been the trigger for a segmentation fault. Jacob Nevins stumbled over it and Bernhard Übelacker provided a patch to fix missing return statements.  (#929513)

Debian Java

  • I provided a security update for jackson-databind to fix CVE-2019-12086 (#929177) in Buster and prepared DSA-4452-1 to fix the remaining 11 CVE in Stretch.
  • Unfortunately Netbeans will not be in Buster. There were at least two issues why I could not recommend our Debian version, clear regressions in comparison to the version in Stretch. I found it odd that the severest one was fixed in Ubuntu shortly after the removal from testing. I surely would have appreciated the patch for Debian too. At the moment I don’t believe I will continue to work on Netbeans, very time consuming to get it in shape for Debian, too many dependencies, where the slightest changes in r-deps may cause bugs in Netbeans, nobody else in the Java team is really interested and most Java developers probably install the upstream version. A really bad combination.

Misc

Debian LTS

This was my thirty-ninth month as a paid contributor and I have been paid to work 18 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I investigated CVE-2019-0227, axis and suggested to mark it as unimportant. I triaged CVE-2019-0227, ampache as no-dsa for Jessie.
  • DLA-1798-1. Issued a security update for jackson-databind fixing 1 CVE.
  • DLA-1804-1. Issued a security update for curl fixing 1 CVE.
  • DLA-1816-1. Issued a security update for otrs2 fixing 2 CVE.
  • DLA-1753-3. Issued a regression update for proftpd-dfsg. When the creation of a directory failed during sftp transfer, the sftp session would be terminated instead of failing gracefully due to a non-existing debug logging function.
  • DLA-1821-1. I’m currently testing the next security update of phpmyadmin. I triaged or fixed 19 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my twelfth month and I have been paid to work 8 hours on ELTS (15 hours were allocated). I intend to use the remaining hours in June.

  • I investigated three CVE in pacemaker, CVE-2018-16877, CVE-2018-16878, CVE-2019-3885 and found that none of them affected Wheezy.
  • ELA-127-1. Issued a security update for linux and linux-latest fixing 15 CVE.

Thanks for reading and see you next time.

My Free Software Activities in April 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • This was a very quiet month compared to pre-freeze time. I reported three security vulnerabilities for Teeworlds (#927152) which were later fixed by Dylan Aïssi. Thank you.
  • I also reviewed and sponsored a new revision of OpenMW for Bret Curtis. I’m not sure why he didn’t ask the release team for an unblock but there may be a reason.

Debian Java

  • I fixed a security vulnerability in robocode (#926088) and asked for an unblock.
  • I corrected a mistake in solr-tomcat and learned, if you want to override a service file of another package (tomcat9) the conf file has to be installed into
    /etc/systemd/system/tomcat9.service.d/

    instead of /etc/systemd/system/tomcat9.d.*sigh*

Misc

  • Last month I wrote about the challenges of the ublock-origin addon (#926586). We came to the conclusion that we can no longer provide one version for Firefox and Chromium but that we don’t have to create two binary packages either. Now we use symlinks  and two different directories and hopefully this will solve all the troubles we had before. It is not a great solution but hopefully we can maintain the addon without relying on patches.  Thanks to Michael Meskes who implemented the changes. I will probably upload a new version to experimental in May, so that people can try it out and report back.

Debian LTS

This was my thirty-eight month as a paid contributor and I have been paid to work 17,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 29.04.2019 until 05.05.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in rebar, filezilla, lucene-solr, librecad, apparmor, phpbb3, jakarta-jmeter, jetty8, jetty, php-imagick and node-tar.
  • DLA-1753-2. Issued a regression update for proftpd-dfsg because it became clear that neither version 1.3.5.e nor 1.3.6 was a way forward to address the memory leaks because those versions also introduced new bugs that affected sftp setups negatively (#926719). I resolved these problems by backporting the patches for the memory leaks and by reverting to version 1.3.5 again.
  • DLA-1773-1. Issued a security update for signing-party fixing 1 CVE.
  • DLA-1774-1. Issued a security update for otrs2 fixing 1 CVE.
  • DLA-1775-1. Issued a security update for phpbb3 fixing 1 CVE.
  • DLA-1776-1. Issued a security update for librecad fixing 1 CVE.
  • DLA-1785-1. Issued a security update for imagemagick together with Hugo Lefeuvre (3 CVE) fixing 50 CVE in total.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my eleventh month and I have been paid to work 14,5 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 15.04.2019 until 21.04.2019 and I triaged CVE in openjdk7, php5 and libvirt.
  • ELA-72-2. Issued a regression update for jasper which corrected the patch for CVE-2018-19542.
  • ELA-109-1. Issued a security update for jquery fixing 1 CVE.
  • ELA-111-1. Issued a security update for linux and linux-latest fixing 24 CVE.
  • ELA-117-1. Issued a security update for apache2 fixing 2 CVE and investigated four more CVE which I triaged as not-affected.

Thanks for reading and see you next time.

My Free Software Activities in March 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. ( a bit later than usual) If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Lars Kruse reported a bug in the gui-sdl2 theme of Freeciv, the famous strategy game, which I could quickly fix.  (#923563)
  • I fixed RC bug #922947 in retroarch-assets because of a change in fonts-roboto that broke symlinks to font files.
  • Pedro Pena and Carlos Donizete Froes packaged two new games for Debian, Infinitetux (Pedro) and Pekka Kana 2 (Carlos). I reviewed and sponsored both games and they are currently waiting in the NEW queue. Infinitetux is a Super Mario like game written in Java. The original author of the game is no one else than Markus Persson, the developer of Minecraft. This game is one of his previous works that used the original game content from Nintendo. However Pedro completely replaced the artwork with freely available images and sounds. Quite interesting for Java developers: The game requires no third-party libraries and uses only classes from the JDK. Pekka Kana 2 is another jump-and-run game from Finnish creator Janne Kivilahti. He kindly released his game under a permissive BSD-2-clause license.

Debian Java

  • I tackled several RC bugs in Java packages this month.
  • libjogl2-java (#887140): The package failed to build on several non-supported architectures. Since we are already glad that it works on amd64 I had to limit the support in debian/control to those architectures where the package may be useful.
  • lucene-solr (#919638): Solr refused to start with Tomcat 9 because of more strict permissions in Tomcat’s systemd service file. I initially tried to fix this in Tomcat but had to add a new systemd conf file to lucene-solr that overrides the permissions now.
  • javahelper (#923756): I implemented a workaround for Javadoc build failures that started to occur only two months ago after the OpenJDK 11 package was upgraded.
  • owasp-java-html-sanitizer (#923654): I removed the now non-existent build-dependency on libjsr305-java-doc.
  • sweethome3d (#924594): I had to replace the virtual dependency on icedtea-netx-common with icedtea-netx.
  • I triaged a RC bug in libitext-java (#923364). Unfortunately the bug submitter did not provide further information.
  • It is a bit sad that Netbeans is currently affected by a severe bug which makes it impossible to create new Java projects. (#925509) I tried to fix it but I am stuck now. Help is appreciated.
  • I provided a patch to fix RC bug #923759 in netlib-java.

Misc

  • The  ublock-origin addon does not work anymore with Firefox 66 in unstable (#925337) which is caused by a value in its manifest file, incognito:split, that is not supported by Firefox. Previous versions of Firefox just emitted a warning, now it is fatal. The same value works fine with Chromium. At the moment we provide one webextension package for both browsers in Debian but it looks like we have to consider to provide two different packages of ublock-origin again, to avoid such pitfalls in the future. I have filed #926586 to get more feedback.

Debian LTS

This was my thirty-seventh month as a paid contributor and I have been paid to work 29,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 25.03.2019 until 31.03.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in twig, ruby2.1, znc, wpa, cloud-init, dovecot, edk2, activemq, bwa, tomcat8, mosquitto, gpsd, nuget, rails, robocode, libav and clamav.
  • DLA-1708-1. Issued a security update for zabbix fixing 2 CVE.
  • DLA-1711-1. Issued a security update for systemd fixing 1 CVE.
  • DLA-1733-1. Issued a security update for wpa fixing 1 CVE.
  • DLA-1736-1. Issued a security update for dovecot fixing 1 CVE.
  • DLA-1738-1. Issued a security update for gpsd fixing 1 CVE.
  • DLA-1739-1. Issued a security update for rails fixing 2 CVE.
  • DLA-1753-1. Issued a security update for proftpd-dfsg to fix several memory leaks. However it turned out that under certain conditions #926719 the daemon now closes sftp connections. This appears to be an upstream bug that was fixed in version 1.3.6. I will investigate if we have to revert to the previous version or if we can move forward.
  • DLA-1755-1. Issued a security update for graphicsmagick fixing 6 CVE.
  • While I was working on DLA-1755-1 I discovered a regression in jasper which I addressed with DLA-1628-2.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my tenth month and I have been paid to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 11.03.2019 until 17.03.2019 and I triaged CVE in cron, ntp, gdk-pixbuf, glib2.0 and libssh2.
  • ELA-92-1. Issued a security update for xmltooling fixing 1 CVE.
  • ELA-94-1. Issued a security update for openssh fixing 3 CVE.
  • ELA-105-1. Issued a security update for sqlalchemy fixing 2 CVE.
  • I started to work on src:linux and will provide a new package next week.

Thanks for reading and see you next time.

My Free Software Activities in February 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • February was the last month to package new upstream releases before the full freeze, if the changes were not too invasive of course :-). Atomix, gamine, simutrans, simutrans-pak64, simutrans-pak128.britain and hitori qualified.
  • I sponsored a new version of mgba, a Game Boy Advance emulator, for Reiner Herrmann and worked together with Bret Curtis on wildmidi and openmw. The latest upstream version resolved a long-standing bug and made it possible that the game engine, a reimplementation of The Elder Scrolls III: Morrowind, will be part of a Debian stable release for the first time.
  • Johann Suhter reported a bug in one of brainparty‘s minigames and also provided the patch. All I had to do was uploading it. Thanks. (#922485)
  • I corrected a minor cross-build FTBFS in openssn. Patch by Helmut Grohne. (#914724)
  • I released a new version of debian-games and updated the dependency list of our games metapackages. This is almost the final version but expect another release in one or two months.

Debian Java

Misc

Debian LTS

This was my thirty-sixth month as a paid contributor and I have been paid to work 19,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 25.02.2019 until 03.03.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in sox, collabtive, libkohana2-php, ldb, libpodofo, libvirt, openssl, wordpress, twitter-bootstrap, ceph, ikiwiki, edk2, advancecomp, glibc, spice-xpi and zabbix.
  • DLA-1675-1. Issued a security update for python-gnupg fixing 1 CVE.
  • DLA-1676-1. Issued a security update for unbound fixing 1 CVE.
  • DLA-1696-1. Issued a security update for ceph fixing 2 CVE.
  • DLA-1701-1. Issued a security update for openssl fixing 1 CVE.
  • DLA-1702-1. Issued a security update for advancecomp fixing 2 CVE.
  • DLA-1703-1. Issued a security update for jackson-databind fixing 10 CVE.
  • DLA-1706-1. Issued a security update for poppler fixing 5 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my ninth month and I have been paid to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 25.02.2019 until 03.03.2019 and I triaged CVE in file, gnutls26, nettle, libvirt, busybox and eglibc.
  • ELA-84-1. Issued a security update for gnutls26 fixing 4 CVE. I also investigated CVE-2018-16869 in nettle and also CVE-2018-16868 in gnutls26. After some consideration I decided to mark these issues as ignored because the changes were invasive and would have required intensive testing. The benefits appeared small in comparison.
  • ELA-88-1. Issued a security update for openssl fixing 1 CVE.
  • ELA-90-1. Issued a security update for libsdl1.2 fixing 11 CVE.
  • I started to work on sqlalchemy which requires a complex backport to fix a possible SQL injection vulnerability.

Thanks for reading and see you next time.

My Free Software Activities in January 2019

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • Time’s almost up and the soft freeze is near. In January I packaged a couple of new upstream versions for Teeworlds (0.7.2), Neverball (this one was a Git snapshot because they apparently don’t like regular releases), cube2-data (easy, because I am upstream myself), adonthell and adonthell-data, fifechan, fife and unknown-horizons.
  • After I uploaded the latest Teeworlds release to stretch-backports too, I sponsored pegsolitaire for Juhani Numminen and a shiny new Supertux release for Reiner Herrmann.
  • I updated KXL, the Kacchan X Windows System Library. You have never heard of it? Well, never mind. However it powers three Debian games.
  • Last but not least I updated btanks,  your fast 2D tank arcade game.

Debian Java

Misc

Debian LTS

This was my thirty-fifth month as a paid contributor and I have been paid to work 20,5 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • From 28.01.2019 until 03.02.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in mupdf, coturn, php5, netkit-rsh, guacamole-client, openjdk-7, python-numpy, python-gnupg, muble, mysql-connector-python, enigmail, python-colander, slurml-llnl, sox, uriparser, and drupal7.
  • DLA-1631-1. Issued a security update for libcaca fixing 4 CVE.
  • DLA-1633-1. Issued a security update for sqlite3 fixing 5 CVE.
  • DLA-1650-1. Issued a security update for rssh fixing 1 CVE.
  • DLA-1656-1. Issued a security update for agg fixing 1 CVE. This one required a sourceful upload of desmume and exactimage as well because agg provides only a static library.
  • DLA-1662-1. Issued a security update for libthrift-java fixing 1 CVE.
  • DLA-1673-1. Issued a security update for wordpress fixing 7 CVE.

ELTS

Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my eight month and I have been paid to work 15 hours on ELTS.

  • I was in charge of our ELTS frontdesk from 28.01.2019 until 03.02.2019 and I triaged CVE in php5 and systemd.
  • ELA-81-1. Issued a security update for systemd fixing 2 CVE. I investigated CVE-2018-16865 and found that systemd was not exploitable. I marked CVE-2018-16864, CVE-2018-16866 and CVE-2018-15688 as <not-affected> because the vulnerable code was introduced later.
  • ELA-83-1. Issued a security update for php5  fixing 7 upstream bugs. No CVE have been assigned yet but upstream intends to do so shortly.

Thanks for reading and see you next time.