Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
- Reiner Herrmann investigated a build failure of supertuxkart on several architectures and prepared an update to link against libatomic. I reviewed and sponsored the new revision which allowed supertuxkart 1.0 to migrate to testing.
- Python 3 ports: Reiner also ported bouncy, a game for small kids, to Python3 which I reviewed and uploaded to unstable.
- Myself upgraded atomix to version 3.34.0 as requested although it is unlikely that you will find a major difference to the previous version.
- This month I packaged new upstream releases of robocode, libsambox-java, libsejda-java, pdfsam, undertow, jboss-threads, libpdfbox2-java, lombok-patcher and jackson-databind.
- I became the new uploader of jackson-databind because the package was unmaintained and it is frequently affected by CVE, e.g. #940498. I intend to implement a way to use a whitelist for Debian to address the reoccurring security vulnerabilities instead of a blacklist which will always be incomplete.
- I fixed bug #933715 in javahelper to fix a build failure whenever someone used the little obscure virtual dependency debhelper-compat.
- I reviewed a new package, yetus, from Lucas Kanashiro and gave some packaging advice.
- I prepared a buster-pu for lucene-solr to fix #933854 and #933857.
- I packaged new upstream releases of ublock-origin and privacybadger, two popular Firefox/Chromium addons and
- packaged a new upstream release of wabt, the WebAssembly Binary Toolkit.
- From 11.09.2019 until 15.09.2019 I was in charge of our LTS frontdesk. I investigated and triaged CVE in libonig, bird, curl, openssl, wpa, httpie, asterisk, wireshark and libsixel.
- DLA-1922-1. Issued a security update for wpa fixing 1 CVE.
- DLA-1932-1. Issued a security update for openssl fixing 2 CVE.
- DLA-1900-2. Issued a regression update for apache fixing 1 CVE.
- DLA-1943-1. Issued a security update for jackson-databind fixing 4 CVE.
- DLA-1954-1. Issued a security update for lucene-solr fixing 1 CVE. I triaged CVE-2019-12401 and marked Jessie as not-affected because we use the system libraries of woodstox in Debian.
- DLA-1955-1. Issued a security update for tcpdump fixing 24 CVE by backporting the latest upstream release to Jessie. I discovered several test failures but after more investigation I came to the conclusion that the test cases were simply created with a newer version of libpcap which causes the test failures with Jessie’s older version.
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my sixteenth month and I have been assigned to work 15 hours on ELTS plus five hours from August. I used 15 of them for the following:
- I was in charge of our ELTS frontdesk from 30.09.2019 until 06.10.2019 and I triaged CVE in tcpdump. There were no reports of other security vulnerabilities for supported packages in this week.
- ELA-163-1. Issued a security update for curl fixing 1 CVE.
- ELA-171-1. Issued a security update for openssl fixing 2 CVE.
- ELA-172-1. Issued a security update for linux fixing 23 CVE.
- ELA-174-1. Issued a security update for tcpdump fixing 24 CVE.