Like each month, have a look at the work funded by Freexian’s Debian LTS offering.
Debian LTS contributors
In September, 18 contributors have been paid to work on Debian LTS, their reports are available:
- Abhijith PA did 7.0h (out of 0.0h assigned and 14.0h from previous period), thus carrying over 7.0h to the next month.
- Adrian Bunk did 51.75h (out of 9.25h assigned and 55.5h from previous period), thus carrying over 13.0h to the next month.
- Arturo Borrero Gonzalez did 10.0h (out of 0.0h assigned and 10.0h from previous period).
- Bastien Roucariès did 20.0h (out of 20.0h assigned).
- Ben Hutchings did 20.0h (out of 12.0h assigned and 12.0h from previous period), thus carrying over 4.0h to the next month.
- Chris Lamb did 18.0h (out of 18.0h assigned).
- Daniel Leidert did 23.0h (out of 26.0h assigned), thus carrying over 3.0h to the next month.
- Emilio Pozuelo Monfort did 23.5h (out of 22.25h assigned and 37.75h from previous period), thus carrying over 36.5h to the next month.
- Guilhem Moulin did 22.25h (out of 20.0h assigned and 2.5h from previous period), thus carrying over 0.25h to the next month.
- Lucas Kanashiro did 10.0h (out of 5.0h assigned and 15.0h from previous period), thus carrying over 10.0h to the next month.
- Markus Koschany did 40.0h (out of 40.0h assigned).
- Ola Lundqvist did 6.5h (out of 14.5h assigned and 9.5h from previous period), thus carrying over 17.5h to the next month.
- Roberto C. Sánchez did 24.75h (out of 21.0h assigned and 3.75h from previous period).
- Santiago Ruano Rincón did 19.0h (out of 19.0h assigned).
- Sean Whitton did 0.75h (out of 4.0h assigned and 2.0h from previous period), thus carrying over 5.25h to the next month.
- Sylvain Beucler did 16.0h (out of 42.0h assigned and 18.0h from previous period), thus carrying over 44.0h to the next month.
- Thorsten Alteholz did 11.0h (out of 11.0h assigned).
- Tobias Frost did 17.0h (out of 7.5h assigned and 9.5h from previous period).
Evolution of the situation
In September, we have released 52 DLAs.
September marked the first full month of Debian 11 bullseye under the responsibility of the LTS Team and the team immediately got to work, publishing more than 4 dozen updates.
Some notable updates include ruby2.7 (denial-of-service, information leak, and remote code execution), git (various arbitrary code execution vulnerabilities), firefox-esr (multiple issues), gnutls28 (information disclosure), thunderbird (multiple issues), cacti (cross site scripting and SQL injection), redis (unauthorized access, denial of service, and remote code execution), mariadb-10.5 (arbitrary code execution), cups (arbitrary code execution).
Several LTS contributors have also contributed package updates which either resulted in a DSA (a Debian Security Announcement, which applies to Debian 12 bookworm) or in an upload that will be published at the next stable point release of Debian 12 bookworm. This list of packages includes cups, cups-filters, booth, nghttp2, puredata, python3.11, sqlite3, and wireshark. This sort of work, contributing fixes to newer Debian releases (and sometimes even to unstable), helps to ensure that upgrades from a release in the LTS phase of its lifecycle to a newer release do not expose users to vulnerabilities which have been closed in the older release.
Looking beyond Debian, LTS contributor Bastien Roucariès has worked with the upstream developers of apache2 to address regressions introduced upstream by some recent vulnerability fixes and he has also reached out to the community regarding a newly discovered security issue in the dompurify package. LTS contributor Santiago Ruano Rincón has undertaken the work of triaging and reproducing nearly 4 dozen CVEs potentially affecting the freeimage package. The upstream development of freeimage appears to be dormant and some of the issues have languished for more than 5 years. It is unclear how much can be done without the aid of upstream, but we will do our best to provide as much help to the community as we can feasibly manage.
Finally, it is sometimes necessary to limit or discontinue support for certain packages. The transition of a release from being under the responsibility of the Debian Security Team to that of the LTS Team is an occasion where we assess any pending decisions in this area and formalize them. Please see the announcement for a complete list of packages which have been designated as unsupported.
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- TOSHIBA (for 108 months)
- Civil Infrastructure Platform (CIP) (for 76 months)
- VyOS Inc (for 40 months)
- Gold sponsors:
- Roche Diagnostics International AG (for 118 months)
- Akamai - Linode (for 112 months)
- Babiel GmbH (for 102 months)
- Plat’Home (for 101 months)
- CINECA (for 76 months)
- University of Oxford (for 58 months)
- Deveryware (for 45 months)
- EDF SA (for 30 months)
- Dataport AöR (for 5 months)
- CERN (for 3 months)
- Silver sponsors:
- Domeneshop AS (for 123 months)
- Nantes Métropole (for 117 months)
- Univention GmbH (for 109 months)
- Université Jean Monnet de St Etienne (for 109 months)
- Ribbon Communications, Inc. (for 103 months)
- Exonet B.V. (for 92 months)
- Leibniz Rechenzentrum (for 87 months)
- Ministère de l’Europe et des Affaires Étrangères (for 70 months)
- Cloudways by DigitalOcean (for 60 months)
- Dinahosting SL (for 58 months)
- Bauer Xcel Media Deutschland KG (for 52 months)
- Platform.sh SAS (for 52 months)
- Moxa Inc. (for 46 months)
- sipgate GmbH (for 44 months)
- OVH US LLC (for 42 months)
- Tilburg University (for 42 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 33 months)
- Soliton Systems K.K. (for 30 months)
- THINline s.r.o. (for 6 months)
- Copenhagen Airports A/S
- Bronze sponsors:
- Evolix (for 123 months)
- Seznam.cz, a.s. (for 123 months)
- Intevation GmbH (for 120 months)
- Linuxhotel GmbH (for 120 months)
- Daevel SARL (for 119 months)
- Bitfolk LTD (for 118 months)
- Megaspace Internet Services GmbH (for 118 months)
- Greenbone AG (for 117 months)
- NUMLOG (for 117 months)
- WinGo AG (for 116 months)
- Entr’ouvert (for 107 months)
- Adfinis AG (for 105 months)
- Tesorion (for 100 months)
- GNI MEDIA (for 99 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 99 months)
- Bearstech (for 91 months)
- LiHAS (for 91 months)
- Catalyst IT Ltd (for 86 months)
- Supagro (for 81 months)
- Demarcq SAS (for 80 months)
- Université Grenoble Alpes (for 66 months)
- TouchWeb SAS (for 58 months)
- SPiN AG (for 55 months)
- CoreFiling (for 51 months)
- Institut des sciences cognitives Marc Jeannerod (for 46 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 42 months)
- Tem Innovations GmbH (for 37 months)
- WordFinder.pro (for 36 months)
- CNRS DT INSU Résif (for 35 months)
- Alter Way (for 28 months)
- Institut Camille Jordan (for 18 months)
- SOBIS Software GmbH (for 3 months)