My monthly report covers what I have been doing for Debian. I write it for Debian’s Long Term Support sponsors but also for the wider free software community in the hope that it might inspire people to get more involved with Debian or free software in general.
This was my fourth month as a paid contributor and I have been paid to work 30 hours on Debian LTS. During this month I worked on the following things:
- DLA-460-1. Issued a security update for file fixing 1 CVE.
- DLA-461-1. Issued a security update for nagios3 fixing 1 CVE.
- From 2 May until 8 May I managed the LTS frontdesk and triaged CVEs in ikiwiki, jansson, libuser, librsvg, roundcube, ocaml, wpa and sogo. I reviewed a security update of icu for Roberto C. Sánchez. I also reviewed the security update of ikiwiki prepared by Simon McVittie and took care of the announcement which resulted in DLA-463-1.
- DLA-468-1. I fixed two serious issues in the libuser library that allowed a normal user to gain root privileges and to corrupt /etc/passwd.
- DLA-449-2. I issued a regression update for botan1.10’s reverse dependencies, monotone and softhsm. Both packages had to be rebuilt in Wheezy. I also prepared the no-change rebuilds for all reverse-dependencies in Jessie. (DSA-3565-2)
- DLA-471-1. Issued a security update for jansson fixing 1 CVE.
- DLA-473-1. Issued a security update for wpa fixing 2 CVE.
- DLA-475-1. Issued a security update for python-tornado fixing 1 CVE.
- DLA-483-1. Issued a security update for expat fixing 1 CVE.
- DLA-484-1. Issued a security update for graphicsmagick fixing 8 CVE. Graphicsmagick is a fork of Imagemagick and also affected by vulnerabilities commonly known as ImageTragick. It is likely that we will see more CVEs in the near future.
- DLA-488-1. Issued a security update for xymon fixing 4 CVE. I marked CVE-2016-2057 as not-affected in Wheezy.
- DLA-490-1. Issued a security update for bozohttpd fixing 2 CVE.
- Misc: I sent a short news update to bits.debian.org and debian-lts-announce which was released on 2 June and announced the now official support of armel and armhf for Wheezy LTS.
- I sent a DLA announcement for Icedove. The security update was prepared by Christoph Goehre. (DLA-472-1)
- I packaged a new version of apktool. This tool has several issues at the moment. The most important one is the missing basic framework resource files which are needed for decoding apk files. They are not part of the source tarball release so we need to find other ways to make them available in Debian. Chirayu Desai, one of the GSoC students 2016, already came up with a good proposal.
- We had our first GSoC meetings.
- I fixed an RC bug in gradle-jflex-plugin due to an incompatibility with Gradle >= 2.12.
- I clarified licenses and updated debian/copyright for Netbeans. I also removed some files from the original tarball with possibly controversial licenses.
- I packaged new upstream releases of hsqldb and objenesis and updated fontchooser.
- I sponsored libmnemonicsetter-java for Felix Natter.
- I prepared a security update for Tomcat 8 which still awaits approval by the Security Team.
- I spent too much time with trying to upgrade libnetlib-java. In the end I came to the conclusion that it is not worth the effort.
- I fixed a long standing RC bug in warzone2100 and another bug in fretsonfire.
- I packaged new upstream releases of springlobby, freeorion and freeciv. This fixed the lags in FreeOrion which were seemingly introduced by an X server update. I also uploaded the latest versions of FreeCiv and Minetest to jessie-backports.
- Xarchiver crashed when someone attempted to cancel the extraction procedure with the Thunar plugin. (#822115) I fixed the issue in Sid, Stretch and Jessie.