My Free Software Activities in April 2016

My monthly report covers what I have been doing for Debian. I write it for Debian's Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.

Debian LTS

This was my third month as a paid contributor and I have been paid to work 16 hours on Debian LTS. During this month I worked on the following things:

• DSA-3552-1: I finished my work on Tomcat 7 which I started back in March. Debian's Security Team eventually reviewed the package and issued DSA-3552-1. This update fixed 9 CVEs in Wheezy and 7 CVEs in Jessie.
• DSA-3541-1: My security update for roundcube (Wheezy) fixing 1 CVE was issued by the Security Team.
• DLA-449-1. I worked on botan1.10, a C++ library which provides support for many common cryptographic operations and fixed 7 CVEs in Wheezy. I also sent an updated package for Jessie to the Security Team and they issued DSA-3565-1 for it. For Jessie 6 CVEs could be closed.  I am currently investigating a possible regression (#823297) that might require a rebuild of monotone.
• DLA-450-1. I prepared an update for gdk-pixbuf fixing 1 CVE. While I was working on this issue I discovered that Debian's fix for CVE-2015-7674 was incomplete and thus I added another patch to prevent possible heap-based overflows in pixops/pixops.c. Thanks to SUSE's Security Team for their initial work on this issue.
• DLA-451-1. I backported and tested a security update for OpenJDK-7 fixing 7 CVEs. Thanks to Matthias Klose and Tiago Stürmer Daitx for their initial work.
• DLA-452-1. I fixed a bug in smarty3 (Wheezy), a template engine for PHP, that allowed remote attackers to bypass the secure mode restrictions and to execute arbitrary PHP code.
• I triaged CVE-2015-7496 in GDM3 and marked this issue as <not affected> in Wheezy because the vulnerable code was neither present nor was the issue reproducible.
• I triaged two more CVEs in Swift, CVE-2016-0738 and CVE-2016-0737 and marked both CVEs as fixed in Wheezy because the vulnerable code was not present. I also had a closer look at Xymon. This package appears to be partly affected by the open security issues and needs further investigation.
• The security support for Wheezy was handed over to the LTS team on 26 April 2016. I drafted an official announcement which was published on debian.org and debian-lts-announce. Before I started a call for review on debian-lts. Thanks for all the feedback and especially for the reviews from the English language team.
• Making OpenJDK 7 the default-java implementation in Wheezy-LTS. I uploaded a new revision of java-common with the sole intention to increase the user awareness for our intended switch to OpenJDK 7 as the default Java implementation. Moreover I updated 14 Java packages in Wheezy that strictly depended on openjdk-6-jre or openjdk-6-jdk. The requirements were relaxed so that users will be able to install OpenJDK 7 now without the need for installing the unsupported OpenJDK 6 too. Three Java packages are still pending due to a bug in Debian's archive software that will hopefully be resolved soon. I think we could have uploaded those packages sooner but the Release Team did not deem these issues to be important enough. (#819247)

Debian Android

• apktool and libsmali-java. I packaged the latest upstream release of Apktool, 2.1.0. Smali is now a dependency of Apktool and no longer included in the official tarballs. That's the reason why I decided to package libsmali-java.
• I will be a Mentor for Google Summer of Code again together with Hans-Christoph Steiner. I presume this year will be quite exciting and we will try to package more Android software for Debian.

Debian Java

• Emmanuel Bourg set up a blog about Debian Java. We intend to do regular updates from now on to increase the visibility of the Java ecosystem in Debian. I assisted with the first blog post. I will post something about the switch to OpenJDK 7 in Wheezy shortly. My next goal is to improve our documentation about packaging Java software for Debian and I intend to write a series of blog posts in the near future.
• We finally started the insubstantial transition and removed libasm-2 java. Thanks to Felix Natter, who packaged insubstantial, I could request the removal of the old source packages that depended on ASM2. (flamingo, liblaf-plugin-java, liblaf-widget-java, trident and substance.)
• I requested the removal of libcommons-net2-java after fixing Pixelmed, the last reverse-dependency.
• I packaged new upstream releases of jboss-xnio, jboss-jdeparser2, libjide-oss-java, MediathekView, undertow, commons-javaflow, libjgoodies-animation-java, libjgoodies-binding-java, lombok, svnkit, triplea, stapler, jftp, hawtjni, felix-bundlerepository, jackrabbit and lwjgl.
• I updated and triaged several Java packages and fixed open bugs in: wsdl4j, jcifs, jasperreports, entagged
• I filed an RC bug against libxmlbeans-java because the package embeds classes without source.

Debian Games

• This month I was also quite busy with updating some of our games. I packaged new upstream releases of gamine, extremetuxracer and springlobby, updated several packages and triaged and fixed open bugs including: airstrike, amoebax, jester, adonthell, andonthell-data, antigrav, btanks, enemylines3, kobodeluxe, late, pong2, raincat, ketm and xmahjongg.

Misc

• gimp-dimage-color. I asked the ftp team to remove gimp-dimage-color because it has not been updated in the past seven years and it is also not part of Debian stable.
• I reviewed and sponsored python-adventure for Ben Finney.
• I also reviewed freecell-solver for Shlomi Fish on debian-mentors but the package was eventually uploaded by the actual package maintainer.