Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in Java, Games and LTS topics, this might be interesting for you.
- This month I packaged a new upstream Git snapshot of performous, a karaoke game, because this seemed to be the quickest route to fix a build failure and RC bug (#914061) with Debian’s latest Boost version. We had to overcome some portability issues later (#914667, #914688) and now the only blocker for a migration to testing is GCC-8 itself.
- I uploaded a new revision of widelands to fix a FTBFS with ICU 63.1 (#913513). The patch was provided by László Böszörményi.
- I updated the packaging of the following games without making bigger changes, just the normal „grooming“: box2d, brainparty, dangen, flatzebra, jester and etw.
- The latest upstream release 7.1.3 of renpy, a framework for developing visual-novel type games, is available now.
- Last but not least I backported teeworlds version 0.7.0, a fun action packed 2D shooter, and its special build system bam to Stretch because the current version 0.6.0 is unable to connect to 0.7.0 servers. Now players should be able to choose between their favorite Teeworld versions.
- In November 2018 the Security Team approached us about mysql-connector-java, the JDBC driver for MySQL and asked whether it would be possible to replace it with mariadb-connector-java. I thought that was a good idea because the latter is a drop-in-replacement with a more transparent upstream and it would save us time to do something more important than fixing security vulnerabilities twice in the future. I had to prepare some patches and filed numerous bug reports for osmosis, igv, pegasus-wms, jameica, lucene-solr, sqlline, libreoffice-canzeley-client, libreoffice-base-drivers, jython, jclic and netbeans. The current status and remaining tasks are tracked with Debian bug #912916.
- For the rest of the time I mostly fixed RC bugs in libpicocontainer-java (#912547), activemq (#912642), libjackson-json-java (#912541), jackson-module-jaxb-annotations, lombok (#910748), cglib (#912645), scala (#912393), libxstream-java (#912377), javafxsvg (#893345), jackson-dataformat-xml (#913840), controlsfx (#911858) and h2database (#913565).
- Later I could also package a new upstream version of activemq and jboss-modules, but more importantly mediathekview, my pet peeve, so to speak. 🙂
- I sponsored another update of android-platform-system-core for Kai-Chung Yan. From now on that should be no longer necessary because he is a Debian Developer now. Congratulations!
- I packaged a new upstream release of https-everywhere, a very useful Firefox/Chromium addon.
- From 19.11.2018 until 25.11.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in jasper, gnome-keyring, keepalived, otrs2, gnuplot, gnuplot5, ncurses, sysstat, php5, uw-imap, eclipse and apktool.
- DLA-1568-1. Issued a security update for curl fixing 5 CVE.
- DLA-1583-1. Issued a security update for jasper fixing 5 CVE.
- DLA-1592-1. Issued a security update for otrs2 fixing 2 CVE.
- DLA-1593-1. Issued a security update for phpbb3 fixing 1 CVE.
- DLA-1598-1. Issued a security update for ghostscript fixing 4 CVE.
- DLA-1600-1. Issued a security update for libarchive fixing 12 CVE.
- DLA-1603-1. Issued a security update for suricata fixing 4 CVE.
- I reviewed the openssl update which was later released as DLA 1586-1.
- I also reviewed and sponsored squid3, icecast2 and keepalived for Abhijith PA.
Extended Long Term Support (ELTS) is a project led by Freexian to further extend the lifetime of Debian releases. It is not an official Debian project but all Debian users benefit from it without cost. The current ELTS release is Debian 7 „Wheezy“. This was my sixth month and I have been paid to work 15 hours on ELTS.
- I was in charge of our ELTS frontdesk from 19.11.2018 until 25.11.2018 and I triaged CVE in git, sysstat, suricata, libarchive and jasper.
- ELA-62-1. Issued a security update for libarchive fixing 3 CVE.
- ELA-64-1. Issued a security update for suricata fixing 4 CVE.
- ELA-65-1. Issued a security update for jasper fixing 9 CVE.
- Since upstream development of jasper has slowed down and many bugs remain without a response, I wrote the patches for CVE-2018-18873, CVE-2018-19539 and CVE-2018-19542 myself. I will look into the remaining issues in December.
Thanks for reading and see you next time.