My Free Software Activities in March 2020

Welcome to Here is my monthly report (+ the first week in April) that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.

I am sure I am not the only one who will remember March 2020 in the future as a month nobody was really fond of. I was mostly occupied with non-Debian work and managed to get ill in the same week I wanted to celebrate my birthday but it didn't matter anyway because of ehm quarantine and social distancing. Maybe next year March will be great again.

Debian Games

  • I was notified by Minetest upstream that Debian did not build the game with CMAKE_BUILD_TYPE=Release or that we simply missed the -DNDEBUG compiler flag which in turn could cause some unexepected runtime errors. I quickly fixed the problem and backported the change to buster-backports. There is another pending merge request about build-depending on libspatialindex-dev. I was told it will speed up some processes on the server side, so I wanted to give it a try.
  • I fixed RC bug #954722 in spring, the RTS game engine. A change in GCC caused yet another FTBFS but was rather easy to fix.
  • I sponsored jag and runescape for Carlos Donizete Froes. Despite being such a trivial helper script for downloading the runescape launcher, the latter caused some controversy. Now it looks like all problems can be resolved and I expect another upload with bug fixes in April.
  • Last but not least I packaged a new upstream release of extremetuxracer, the racing game with Tux for all the family.

Debian Java

  • I worked on new releases of wildfly-common, undertow, jboss-threads, jboss-xnio, libsmali-java and apktool.
  • I uploaded a security update of checkstyle to Stretch and Buster and prepared another point update for Buster to fix a bug in el-api, websocket-api and jsp-api when libservlet3.1-java was upgraded from Stretch to Buster.
  • A missing jar file on the CLASSPATH in commons-configuration2 made mediathekview and other packages FTBFS (#955755) but it also motivated me to remove the unnecessary update check in MediathekView on every startup because it may take a while until I can upgrade this program again.
  • I also applied a patch by Bas Couwenberg for OpenJFX to fix a FTBFS bug due to the -Werror=deprecated-declarations flag.


  • While I am still waiting for ublock-origin being processed in the NEW queue, I packaged the latest version of another browser addon, https-everywhere.

Debian LTS

This was my 49. month as a paid contributor and I have been paid to work 10 hours on Debian LTS, a project started by Raphaël Hertzog. In that time I did the following:

  • I worked on Tomcat 8 in Jessie and prepared patches for CVE-2020-1938, CVE-2020-1935 and CVE-2019-17563. I am working together with Abhihith PA who is currently reviewing them. Especially CVE-2020-1938 requires careful attention because of new options to secure the AJP port and protocol. In contrast to Wheezy, Tomcat in Jessie will be supported at least for another year, so it makes sense to apply the upstream changes for hardening the setup.
  • I prepared another Tomcat 8 update for Stretch which will be released this month.


Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 "Wheezy". This was my 22. month and I have been paid to work 9 hours on ELTS.

  • I investigated all identified source packages from last month. They are supported but embed external software, sometimes affected by unfixed security vulnerabilities. After a closer inspection I discovered that most packages were either affected only by minor issues, which did not warrant an extra update, or they were not even affected at all because they linked against system libraries. However zlib, apache2 and php5 contained embedded and unfixed code copies of expat and file and zlib's miniunzip program was still prone to a directory traversal attack. I fixed the latter in ELA-222-1. The apache2 update will follow shortly and there is ongoing work for PHP5 anyway which allows us to fix the latest reported vulnerabilites and address the embedded code copy issues together in one update.

Thanks for reading and see you next time.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.