Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
Debian Games
- This was a very quiet month compared to pre-freeze time. I reported three security vulnerabilities for Teeworlds (#927152) which were later fixed by Dylan Aïssi. Thank you.
- I also reviewed and sponsored a new revision of OpenMW for Bret Curtis. I'm not sure why he didn't ask the release team for an unblock but there may be a reason.
Debian Java
- I fixed a security vulnerability in robocode (#926088) and asked for an unblock.
- I corrected a mistake in solr-tomcat and learned, if you want to override a service file of another package (tomcat9) the conf file has to be installed into
/etc/systemd/system/tomcat9.service.d/
instead of /etc/systemd/system/tomcat9.d.*sigh*
Misc
- Last month I wrote about the challenges of the ublock-origin addon (#926586). We came to the conclusion that we can no longer provide one version for Firefox and Chromium but that we don't have to create two binary packages either. Now we use symlinks and two different directories and hopefully this will solve all the troubles we had before. It is not a great solution but hopefully we can maintain the addon without relying on patches. Thanks to Michael Meskes who implemented the changes. I will probably upload a new version to experimental in May, so that people can try it out and report back.
Debian LTS
This was my thirty-eight month as a paid contributor and I have been paid to work 17,25 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:
- From 29.04.2019 until 05.05.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in rebar, filezilla, lucene-solr, librecad, apparmor, phpbb3, jakarta-jmeter, jetty8, jetty, php-imagick and node-tar.
- DLA-1753-2. Issued a regression update for proftpd-dfsg because it became clear that neither version 1.3.5.e nor 1.3.6 was a way forward to address the memory leaks because those versions also introduced new bugs that affected sftp setups negatively (#926719). I resolved these problems by backporting the patches for the memory leaks and by reverting to version 1.3.5 again.
- DLA-1773-1. Issued a security update for signing-party fixing 1 CVE.
- DLA-1774-1. Issued a security update for otrs2 fixing 1 CVE.
- DLA-1775-1. Issued a security update for phpbb3 fixing 1 CVE.
- DLA-1776-1. Issued a security update for librecad fixing 1 CVE.
- DLA-1785-1. Issued a security update for imagemagick together with Hugo Lefeuvre (3 CVE) fixing 50 CVE in total.
ELTS
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my eleventh month and I have been paid to work 14,5 hours on ELTS.
- I was in charge of our ELTS frontdesk from 15.04.2019 until 21.04.2019 and I triaged CVE in openjdk7, php5 and libvirt.
- ELA-72-2. Issued a regression update for jasper which corrected the patch for CVE-2018-19542.
- ELA-109-1. Issued a security update for jquery fixing 1 CVE.
- ELA-111-1. Issued a security update for linux and linux-latest fixing 24 CVE.
- ELA-117-1. Issued a security update for apache2 fixing 2 CVE and investigated four more CVE which I triaged as not-affected.
Thanks for reading and see you next time.