
Like each month, have a look at the work funded by Freexian’s Debian LTS offering.
Debian LTS contributors
In July, 17 contributors have been paid to work on Debian LTS, their reports are available:
- Adrian Bunk did 19.0h (out of 19.0h assigned).
- Andrej Shadura did 5.0h (out of 0.0h assigned and 8.0h from previous period), thus carrying over 3.0h to the next month.
- Bastien Roucariès did 18.5h (out of 18.75h assigned), thus carrying over 0.25h to the next month.
- Ben Hutchings did 12.5h (out of 3.25h assigned and 15.5h from previous period), thus carrying over 6.25h to the next month.
- Carlos Henrique Lima Melara did 10.0h (out of 10.0h assigned).
- Chris Lamb did 18.0h (out of 18.0h assigned).
- Daniel Leidert did 18.75h (out of 17.25h assigned and 1.5h from previous period).
- Emilio Pozuelo Monfort did 18.75h (out of 18.75h assigned).
- Guilhem Moulin did 15.0h (out of 14.0h assigned and 1.0h from previous period).
- Jochen Sprickerhof did 2.0h (out of 16.5h assigned and 2.25h from previous period), thus carrying over 16.75h to the next month.
- Lee Garrett did 7.0h (out of 0.0h assigned and 23.25h from previous period), thus carrying over 16.25h to the next month.
- Markus Koschany did 9.0h (out of 18.75h assigned), thus carrying over 9.75h to the next month.
- Roberto C. Sánchez did 10.25h (out of 18.5h assigned and 2.75h from previous period), thus carrying over 11.0h to the next month.
- Santiago Ruano Rincón did 7.25h (out of 12.75h assigned and 2.25h from previous period), thus carrying over 7.75h to the next month.
- Sylvain Beucler did 18.75h (out of 18.75h assigned).
- Thorsten Alteholz did 15.0h (out of 15.0h assigned).
- Utkarsh Gupta did 15.0h (out of 1.0h assigned and 14.0h from previous period).
Evolution of the situation
In July, we released 24 DLAs.
- Notable security updates:
- angular.js, prepared by Bastien Roucariès, fixes multiple vulnerabilities including input sanitization and potential regular expression denial of service (ReDoS)
- tomcat9, prepared by Markus Koschany, fixes an assortment of vulnerabilities
- mediawiki, prepared by Guilhem Moulin, fixes several information disclosure and privilege escalation vulnerabilities
- php7.4, prepared by Guilhem Moulin, fixes several server side request forgery and denial of service vulnerabilities
This month’s contributions from outside the regular team include an update to thunderbird, prepared by Christoph Goehre (the package maintainer).
LTS Team members also contributed updates of the following packages:
- commons-beanutils (to stable and unstable), prepared by Adrian Bunk
- djvulibre (to oldstable, stable, and unstable), prepared by Adrian Bunk
- git (to stable), prepared by Adrian Bunk
- redis (to oldstable), prepared by Chris Lamb
- libxml2 (to oldstable), prepared by Guilhem Moulin
- commons-vfs (to oldstable), prepared by Daniel Leidert
Additionally, LTS Team member Santiago Ruano Rincón proposed and implemented an improvement to the debian-security-support package. This package is available so that interested users can quickly determine if any installed packages are subject to limited security support or are excluded entirely from security support. However, there was not previously a way to identify explicitly supported packages, which has become necessary to note exceptions to broad exclusion policies (e.g., those which apply to substantial package groups, like modules belonging to the Go and Rust language ecosystems). Santiago’s work has enabled the notation of exceptions to these exclusions, thus ensuring that users of debian-security-support have accurate status information concerning installed packages.
DebCamp 25 Security Tracker Sprint
The previously announced security tracker sprint took place at DebCamp from 7-13 July. Participants included 8 members of the standing LTS Team, 2 active Debian Developers with an interest in LTS, 3 community members, and 1 member of the Debian Security Team (who provided guidance and reviews on proposed changes to the security tracker); participation was a mix of in person at the venue in Brest, France and remote. During the days of the sprint, the team tackled a wide range of bugs and improvements, mostly targeting the security tracker.
The sprint participants worked on the following items:
-
Completed during the sprint:
- Implementation of a resource which provides an alternate view of the CVE history contained in the main security tracker
- Implementation of a feature which identifies CVEs that have been fixed via a DLA but which remain unfixed in more recent releases (associated tests are still a work in progress)
- A minor bug fix to the LTS Team’s CVE triage tooling
- Removal of some dead code
-
Still in progress as of the end of the sprint:
- Proposed implementation of support for vulnerabilities that don’t affect the binaries (only in the sources)
- Proposed implementation of support for tracking uploads to proposed-updates
- Continued work (which was in progress prior to the sprint) on tooling to export security tracker data in CSAF and VEX formats
- Proposed implementation of visual distinction between vulnerable/unimportant/ignored CVEs
- Proposed implementation of support for identifying CVEs that have been fixed in older and newer releases but which remain unfixed in LTS
- Proposed implementation of tooling that checks the consistency of the list of CVEs associated with a specific security update which is being prepared
- Draft documentation of the security tracker’s JSON data export schema
- Proposed clean-up of inconsistent historical entries in the DSA index
- Proposed improvement to how the security tracker handles requests for non-existent resources
- Proposed bug fix for inconsistencies in the security tracker JSON data export
- Proposed improvement to more accurate display of CVE states that are currently all shown as “fixed” (1 2)
- Proposed bug fix for turning URLs from text into clickable links
- A minor bug fix to the security tracker’s linkage to Ubuntu security resources
- Proposed implementation of the ability to identify CVEs for re-triage by the LTS Team
- Continued work (which was in progress prior to the sprint) on improved tooling to support security releases of packages from language ecosystems that rely heavily on static linking
As can be seen from the above list, only a small number of changes were brought to completion during the sprint week itself. Given the very compressed timeframe involved, the broad scope of tasks which were under consideration, and the highly sensitive data managed by the security tracker, this is not entirely unexpected and in no way diminishes the great work done by the sprint participants. The LTS Team would especially like to thank Salvatore Bonaccorso of the Debian Security Team for making himself available throughout the sprint to answer questions, for providing guidance on the work, and for helping the work by reviewing and merging the MRs which were able to merged during the sprint itself.
In the weeks that follow the sprint, the team will continue working towards completing the in progress items.
Thanks to our sponsors
Sponsors that joined recently are in bold.
- Platinum sponsors:
- Toshiba Corporation (for 118 months)
- Civil Infrastructure Platform (CIP) (for 86 months)
- VyOS Inc (for 50 months)
- Gold sponsors:
- Roche Diagnostics International AG (for 128 months)
- Akamai - Linode (for 123 months)
- Babiel GmbH (for 112 months)
- Plat’Home (for 111 months)
- University of Oxford (for 68 months)
- Deveryware (for 55 months)
- EDF SA (for 40 months)
- Dataport AöR (for 15 months)
- CERN (for 13 months)
- Silver sponsors:
- Domeneshop AS (for 133 months)
- Nantes Métropole (for 127 months)
- Univention GmbH (for 119 months)
- Université Jean Monnet de St Etienne (for 119 months)
- Ribbon Communications, Inc. (for 113 months)
- Exonet B.V. (for 103 months)
- Leibniz Rechenzentrum (for 97 months)
- Ministère de l’Europe et des Affaires Étrangères (for 81 months)
- Cloudways by DigitalOcean (for 70 months)
- Dinahosting SL (for 68 months)
- Platform.sh SAS (for 62 months)
- Moxa Inc. (for 56 months)
- sipgate GmbH (for 54 months)
- OVH US LLC (for 52 months)
- Tilburg University (for 52 months)
- GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 43 months)
- THINline s.r.o. (for 16 months)
- Copenhagen Airports A/S (for 10 months)
- Bronze sponsors:
- Evolix (for 133 months)
- Seznam.cz, a.s. (for 133 months)
- Intevation GmbH (for 130 months)
- Linuxhotel GmbH (for 130 months)
- Daevel SARL (for 129 months)
- Megaspace Internet Services GmbH (for 128 months)
- Greenbone AG (for 127 months)
- NUMLOG (for 127 months)
- WinGo AG (for 126 months)
- Entr’ouvert (for 118 months)
- Adfinis AG (for 115 months)
- Laboratoire LEGI - UMR 5519 / CNRS (for 110 months)
- Tesorion (for 110 months)
- Bearstech (for 101 months)
- LiHAS (for 101 months)
- Catalyst IT Ltd (for 96 months)
- Demarcq SAS (for 90 months)
- Université Grenoble Alpes (for 76 months)
- TouchWeb SAS (for 68 months)
- SPiN AG (for 65 months)
- CoreFiling (for 61 months)
- Institut des sciences cognitives Marc Jeannerod (for 56 months)
- Observatoire des Sciences de l’Univers de Grenoble (for 52 months)
- Tem Innovations GmbH (for 47 months)
- WordFinder.pro (for 47 months)
- CNRS DT INSU Résif (for 45 months)
- Soliton Systems K.K. (for 41 months)
- Alter Way (for 38 months)
- Institut Camille Jordan (for 28 months)
- SOBIS Software GmbH (for 13 months)
- Tuxera Inc. (for 4 months)