Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
- Really good news this month as Yavor Doganov provided patches for gamazons (#885735), gnomekiss (#885740) and teg (#885751) which all depended on obsolete GNOME 2 libraries. He succeeded in porting them to GooCanvas and GNOME 3. We are currently aware of some issues in Teg (#907834) and would appreciate more feedback from game testers. In any case this was a non-trivial feat and many thanks go to Yavor who prevented the removal of three games from Debian.
- I applied a patch from Adrian Bunk which made FreeOrion (#906746) more portable and packaged the latest and greatest release 0.4.8 later.
- I fixed a broken start script in FreeCol due to OpenJDK 10 changes. (#907661)
- The Spring RTS engine was affected by a GCC-8 RC bug. (#906409)
- I backported FreeCiv 2.6.0 to Stretch.
- I updated some games to the latest standards in Debian, made some minor changes and applied patches to fix FTCBFS bugs or build failures due to a missing libm library. Those issues were solved in tenmado, supertransball2 (#902537), seahorse-adventures, empire (#900197), phlipple (#907207) and ace-of-penguins (#900200).
- I sponsored mupen64plus-qt for Dan Hastings.
- I made some minor updates for the Java Packaging guide and announced its existence here on this blog.
- I packaged new upstream releases and fixed some serious issues in libmiglayout-java, wildfly-client-config, h2database (#902787), jackson-dataformat-xml (#906368), libcommons-compress-java (#906301), xmlgraphics-commons (#906523) and tomcat8 (#906447).
- We still have about 100 RC bugs to fix at the moment. As usual there are still Java 9 and Java 10 issues (and soon I’m sure Java 11). This month I triaged and fixed RC bugs in spatial4j-0.4 (#902789), plexus-archiver (#906396), zookeeper (#897892 prepared by tony mancill), simple-xml (#888547), axis (#902861), asm (#902570), jnr-posix (#901044), mina2 (#907001), disruptor (#906347), libreadline-java (#898380), gnome-split (#893201) and lucene-solr (#906384, #904063).
- I applied a patch from Bdale Garbee and lowered the minimum required source/target level to 1.6 in Ant again since we know that OpenJDK 11 will support that. However we will have to revert to 1.7 again because OpenJDK 12 will drop support for Java 6 in the future.
- I completed a security update for Tomcat 8. It was issued by the security team as DSA 4281-1.
- I packaged a new build-dependency for mediathekview, libmbassador-java. The update also requires a working JavaFX package and probably one or two additional packages. I intend to work on JavaFX in September.
- I NMUed ruby-zip to fix RC bug (#902720) and libcgroup (#906308) and uploaded the fix for the latter to Stretch as well. (#907386)
- I updated byzanz and pyblosxom and moved them to salsa.debian.org.
- I packaged a new upstream release of the https-everywhere browser extension.
- From 13.08.2018 until 19.08.2018 and from 27.08.2018 until 02.09.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in intel-microcode, bind9, confuse, libykneomgr, mp4v2, gdm3, wesnoth-1.10, ruby-zip, otrs2, mathjax, mono, tcpflow, bluez, openssh, mariadb-10.0, tomcat-native, wordpress, thunderbird, spice, spice-gtk, libextractor, postgresql-9.1, libcgroup, zutils, soundtouch, squirrelmail, git-annex, ghostscript, libpgjava, elfutils, libpodofo, libtirpc, libxkbcommon, libtasn1-6, cinder, 389-ds-base, wireshark, php5, libzypp, imagemagick, kfreebsd-10, tiff, discount and polarssl.
- DLA-1467-1. Issued a security update for ruby-zip fixing 1 CVE.
- I worked on gdm3 to fix CVE-2018-14424. I backported the patch to Jessie but could still trigger a session restart with the POC. Since there is no crash and the session is completely restored, we believe now that this is the intended behavior. I also tried to contact Chris Coulson, the original bug reporter, for further advice but have not received a reply yet. If we don’t discover another issue we will release a DLA for gdm3 in September.
- DLA-1472-1. Issued a security update for libcgroup fixing 1 CVE.
- DLA-1473-1. Issued a security update for otrs2 fixing 1 CVE.
- DLA-1482-1. Issued a security update for libx11 fixing 3 CVE.
- DLA-1475-1. Issued a security update for tomcat-native fixing 2 CVE.
- I am still working on a security update for ghostscript. I have already backported the majority of patches to Jessie to fix a serious sandboxing issue with the -dSAFER mode. More patches are required to fix the problem and only yesterday more CVE were assigned to them.
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my third month and I have been paid to work 12 hours on ELTS.
- I was in charge of our ELTS frontdesk from 13.08.2018 until 19.08.2018 and I triaged CVE in intel-microcode, azureus, gdm3, couchdb, lxc, squirrelmail, wordpress, wpa, xen, tomcat7, firmware-nonfree, postgresql-9.1, apache2, bluez, dojo, libcommons-compress-java, spice, spice-gtk, tomcat-native, libcgroup, libx11 and samba.
- ELA-21-1. Issued a security update for openssl fixing 1 CVE.
- ELA-27-1. Issued a security update for tomcat7 fixing 1 CVE.
- ELA-28-1. Issued a security update for tomcat-native fixing 2 CVE.
- ELA-20-2. Issued a regression update for busybox.
- ELA-29-1. Issued a security update for postgresql-9.1 fixing 1 CVE.
- ELA-30-1. Issued a security update for libx11 fixing 3 CVE.
Thanks for reading and see you next time.