Welcome to gambaru.de. Here is my monthly report (+ the first week in September) that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
- I packaged a new upstream release of teeworlds, the well-known 2D multiplayer shooter with cute characters called tees to resolve a Python 2 bug (although teeworlds is actually a C++ game). The update also fixed a severe remote denial-of-service security vulnerability, CVE-2020-12066. I prepared a patch for Buster and will send it to the security team later today.
- I sponsored updates of mgba, a Game Boy Advance emulator, for Ryan Tandy, and osmose-emulator for Carlos Donizete Froes.
- I worked around a RC GCC 10 bug in megaglest by compiling with -fcommon.
- Thanks to Gerardo Ballabio who packaged a new upstream version of galois which I uploaded for him.
- Also thanks to Reiner Herrmann and Judit Foglszinger who fixed a regression (crash) in monsterz due to the earlier port to Python 3. Reiner also made fans of supertuxkart happy by packaging the latest upstream release version 1.2.
- I was contacted by the upstream maintainer of privacybadger, a privacy addon for Firefox and Chromium, who dislikes the idea of having a stable and unchanging version in Debian stable releases. Obviously I can't really do much about it although I believe the release team would be open-minded for regular point updates of browser addons though. However I don't intend to do regular updates for all of my packages in stable unless there is a really good reason to do so. At the moment I'm willing to make an exception for ublock-origin and https-everywhere because I feel these addons should be core browser functionality anyway. I talked about this on our Debian Mozilla Extension Maintainers mailinglist and it seems someone is interested to take over privacybadger and prepare regular stable point updates. Let's see how it turns out.
- Finally this month saw the release of ublock-origin 1.29.0 and the creation of two different browser-specific binary packages for Firefox and Chromium. I have talked about it before and I believe two separate packages for ublock-origin are more aligned to upstream development and make the whole addon easier to maintain which benefits users, upstream and maintainers.
- imlib2, an image library, and binaryen also got updated this month.
- DLA-2303-1. Issued a security update for libssh fixing 1 CVE.
- DLA-2327-1. Issued a security update for lucene-solr fixing 1 CVE.
- DLA-2369-1. Issued a security update for libxml2 fixing 8 CVE.
- Triaged CVE-2020-14340, jboss-xnio as not-affected for Stretch.
- Triaged CVE-2020-13941, lucene-solr as no-dsa because the security impact was minor.
- Triaged CVE-2019-17638, jetty9 as not-affected for Stretch and Buster.
- squid3: I backported the patches for CVE-2020-15049, CVE-2020-15810, CVE-2020-15811 and CVE-2020-24606 from squid 4 to squid 3.
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 8 „Jessie“. This was my 27. month and I have been paid to work 14,25 hours on ELTS.
- ELA-271-1. Issued a security update for squid3 fixing 19 CVE. Most of the work was already done before ELTS started, only the patch for CVE-2019-12529 had to be adjusted for the nettle version in Jessie.
- ELA-273-1. Issued a security update for nss fixing 1 CVE.
- ELA-276-1. Issued a security update for libjpeg-turbo fixing 2 CVE.
- ELA-277-1. Issued a security update for graphicsmagick fixing 1 CVE.
- ELA-279-1. Issued a security update for imagemagick fixing 3 CVE.
- ELA-280-1. Issued a security update for libxml2 fixing 4 CVE.
Thanks for reading and see you next time.