Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
- The new month began as the old one ended: with some great porting efforts to Python 3 and more bug fixes from Reiner Herrmann! I reviewed and sponsored monsterz, oneisenough, pathological, pyracerz, dd2, freedroidrpg, blockout2, hyperrogue, freegish, liquidwar, openpref and yabause.
- I replaced the build-dependency on libwxgtk3.0-dev in springlobby with libwxgtk3.0-gtk3-dev (#933460) and uploaded auralquiz to switch to phonon4qt5.
- I packaged new upstream releases of blockattack, hitori, renpy, cutemaze, peg-e and bullet and will ask the release team for a small transition in September for the latter.
- I sponsored a new version of pekka-kana-2 for Carlos Donizete Froes.
- This was a I-package-new-upstream-releases-month. New versions of undertow, lombok-patcher, activemq, visualvm, commons-dbcp2, jboss-logmanager, jackson-databind, jboss-xnio, libtwelvemonkeys-java and mvel are in the archive now.
- I uploaded a new revision of insubstantial with a patch by Andrius Merkys that fixed a grave runtime error in triplea (#935777).
- I fixed two minor CVE in binaryen, a compiler and toolchain infrastructure library for WebAssembly, by packaging the latest upstream release.
- From 12.8.2019 until 18.08.2019 and from 09.09.2019 until 10.09.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in kde4libs, apache2, nodejs-mysql, pdfresurrect, nginx, mongodb, nova, radare2, flask, bundler, giflib, ansible, zabbix, salt, imapfilter, opensc and sqlite3.
- DLA-1886-2. Issued a regression update for openjdk-7. The regression was caused by the removal of several classes in rt.jar by upstream. Since Debian never shipped the SunEC security provider SSL connections based on elliptic curve algorithms could not be established anymore. The problem was solved by building sunec.jar and its native library libsunec.so from source. An update of the nss source package was required too which resolved a five year old bug. (#750400).
- DLA-1900-1. Issued a security update for apache2 fixing 2 CVE, three more CVE did not affect the version in Jessie.
- DLA-1914-1. Issued a security update for icedtea-web fixing 3 CVE.
- I have been working on a backport of opensc, a set of libraries and utilities to access smart cards that support cryptographic operations, from Stretch which will fix more than a dozen CVE.
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 “Wheezy”. This was my fifteenth month and I have been assigned to work 15 hours on ELTS of which I used 10 of them.
- I was in charge of our ELTS frontdesk from 26.08.2019 until 01.09.2019 and I triaged CVE in dovecot, libcommons-compress-java, clamav, ghostscript, gosa as end-of-life because security support for them has ended in Wheezy. There were no new issues for supported packages. All in all this was a rather unspectacular week.
- ELA-156-1. Issued a security update for linux fixing 9 CVE.
- ELA-154-2. Issued a regression update for openjdk-7 and nss because the removed classes in rt.jar caused the same issues in Wheezy too.
Thanks for reading and see you next time.