I changed klibc's address layout for some architectures to work
around a bug in QEMU
user-space emulation. While investigating this I realised why
klibc had started failing to link for MIPS R6, and fixed that too.
I packaged
ktls-utils,
which is needed to support use of TLS by the Linux kernel, in
particular for NFS-over-TLS. I opened several
upstream
issues for problems I found.
I cherry-picked mitigations for CVE-2023-20593 a.k.a. Zenbleed to
various kernel branches, and uploaded linux version 6.1.38-2 to
bookworm-security.
I updated the buster-security branch of linux to upstream stable
version 4.19.289, uploaded and issued
DLA-3508-1
for it.
I uploaded linux backport versions 6.3.7-1~bpo12+1
(bookworm-backports), 6.1.28-2~bpo11+1 (bullseye-backports), and
5.10.179-3~deb10u1 (buster-security).
I
released
klibc version 2.0.13 after nearly 6 months of development.
(At the time of writing, the above link was broken due to an
expired certificate.) Headline features are the LoongArch port
and the use of 64-bit time_t and RT signals on all architectures.
I also uploaded the new version to Debian.
I
uploaded
sgt-puzzles to unstable. This brought in the new upstream
version previously in experimental. I incorporated an updated
German translation from Helge Kreutzmann, and made translation
updates less tricky to do.
I updated the buster-security (4.19) branch of linux to
stable version 4.19.288, but didn't upload it this month.
I
fixed
build regressions for linux/experimental on several
architectures, and sent the changes upstream where appropriate
(hppa,
m68k,
and preemptively
sparc).
I created a bookworm-backports branch for the linux package, but
that suite is not yet open to uploads.
I uploaded linux version 6.1.27-1~bpo11+1 and firmware-nonfree
version 20230210-5~bpo11+1 to bullseye-backports, but they still
haven't been accepted.
The amdgpu driver lists some firmware files as potentially needed
that aren't packaged or even publicly available, which leads
to warnings from
initramfs-tools on systems using this driver. I
queried
these upstream, which should hopefully lead to a resolution
of the bug.
Utkarsh Gupta
did 0.0h (out of 0h assigned and 25.5h from previous period), thus carrying over 25.5h to the next month.
Evolution of the situation
In June, we have released 40 DLAs.
Notable security updates in June included mariadb-10.3, openssl, and golang-go.crypto. The mariadb-10.3 package was synchronized with the latest upstream maintenance release, version 10.3.39. The openssl package was patched to correct several flaws with certificate validation and with object identifier parsing. Finally, the golang-go.crypto package was updated to address several vulnerabilities, and several associated Go packages were rebuilt in order to properly incorporate the update.
LTS contributor Sylvain has been hard at work with some behind-the-scenes improvements to internal tooling and documentation. His efforts are helping to improve the efficiency of all LTS contributors and also helping to improve the quality of their work, making our LTS updates more timely and of higher quality.
LTS contributor Lee Garrett began working on a testing framework specifically for Samba. Given the critical role which Samba plays in many deployments, the tremendous impact which regressions can have in those cases, and the unique testing requirements of Samba, this work will certainly result in increased confidence around our Samba updates for LTS.
LTS contributor Emilio Pozuelo Monfort has begun preparatory work for the upcoming Firefox ESR version 115 release. Firefox ESR (and the related Thunderbird ESR) requires special work to maintain up to date in LTS. Mozilla do not release individual patches for CVEs, and our policy is to incorporate new ESR releases from Mozilla into LTS. Most updates are minor updates, but once a year Mozilla will release a major update as they move to a new major version for ESR. The update to a new major ESR version entails many related updates to toolchain and other packages. The preparations that Emilio has begun will ensure that once the 115 ESR release is made, updated packages will be available in LTS with minimal delay.
Another highlight of behind-the-scenes work is our Front Desk personnel. While we often focus on the work which results in published package updates, much work is also involved in reviewing new vulnerabilities and triaging them (i.e., determining if they affect one or more packages in LTS and then determining the severity of those which are applicable). These intrepid contributors (Emilio Pozuelo Monfort, Markus Koschany, Ola Lundqvist, Sylvain Beucler, and Thorsten Alteholz for the month of June) reviewed dozens of vulnerabilities and made decisions about how those vulnerabilities should be dealt with.
Tobias Frost
did 16.0h (out of 15.0h assigned and 1.0h from previous period).
Utkarsh Gupta
did 5.5h (out of 5.0h assigned and 26.0h from previous period), thus carrying over 25.5h to the next month.
Evolution of the situation
In May, we have released 34 DLAs.
Several of the DLAs constituted notable security updates to LTS during the month of May. Of particular note were the linux (4.19) and linux-5.10 packages, both of which addressed a considerable number of CVEs. Additionally, the postgresql-11 package was updated by synchronizing it with the 11.20 release from upstream.
Notable non-security updates were made to the distro-info-data database and the timezone database. The distro-info-data package was updated with the final expected release date of Debian 12, made aware of Debian 14 and Ubuntu 23.10, and was updated with the latest EOL dates for Ubuntu releases. The tzdata and libdatetime-timezone-perl packages were updated with the 2023c timezone database. The changes in these packages ensure that in addition to the latest security updates LTS users also have the latest information concerning Debian and Ubuntu support windows, as well as the latest timezone data for accurate worldwide timekeeping.
LTS contributor Anton implemented an improvement to the Debian Security Tracker Unfixed vulnerabilities in unstable without a filed bug view, allowing for more effective management of CVEs which do not yet have a corresponding bug entry in the Debian BTS.
LTS contributor Sylvain concluded an audit of obsolete packages still supported in LTS to ensure that new CVEs are properly associated. In this case, a package being obsolete means that it is no longer associated with a Debian release for which the Debian Security Team has direct responsibility. When this occurs, it is the responsibility of the LTS team to ensure that incoming CVEs are properly associated to packages which exist only in LTS.
Finally, LTS contributors also contributed several updates to packages in unstable/testing/stable to fix CVEs. This helps package maintainers, addresses CVEs in current and future Debian releases, and ensures that the CVEs do not remain open for an extended period of time only for the LTS team to be required to deal with them much later in the future.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Several users reported problems in building and testing patched
kernels using the instructions in the
Debian
Kernel Handbook and the test-patches script
included in the source package for this purpose:
#871216,
#1022061,
and #1023773.
The test-patches script hadn't been updated to follow
the past few years' packaging changes, and produced somewhat
broken packages. It was also not robust to being interrupted
and restarted, and was needlessly slow due to running the whole
build process under fakeroot. I fixed all these
problems in the script.
I updated the Debian Kernel Handbook to cover the changes in
test-paches and to note the problems in older versions.
I revised the instructions for building without this script to
correctly cover disabling debug info, to enable parallel builds,
and to include building all required binary packages.
I issued
DLA-3403-1
and
DLA-3404-1
for security updates to the linux (4.19) and linux-5.10 packages
in Debian LTS.
Following the experimental upload, I investigated and
fixed
build failures on armel, mips64el, mipsel, and sh4 due to
increases in the kernel image size.
In cross-building linux for those architectures I found
regressions in the way we build the objtool command
that's used for post-processing and checking kernel code:
The upstream build rules for objtool always carry out a
native build so that it can be used during a cross-build of the
kernel. But we also need to be able to cross-build
objtool itself for inclusion in the
linux-kbuild-version package. Our previous hack to
do this broke.
objtool was originally introduced specifically to
handle x86 code, but now supports PowerPC as well. Since
linux-kbuild packages support cross-building kernel modules, a
single build of objtool will no longer be sufficient.
I updated Debian's patch to fix reproducibility of the manual
pages for the perf tool, which was no longer working
and partly overlapped with upstream changes. The updated
version has now been applied upstream.
Unfortunately, due to reprotest's excessive memory
consumption when comparing large packages, we hadn't been
able to see that many other reproducibility issues have crept
into the linux package over the past years. I've
started
work on fixing those.
I made another upload of linux to the experimental suite with
all the above changes.
I reviewed a
merge
request to update to a release candidate for 6.4 and fixed a
build regression. This isn't merged yet, but as soon as bookworm
is released the kernel team should be ready to upload packages
based on 6.3 and a 6.4 release candidate to unstable and
experimental respectively.
Tobias Frost
did 15.0h (out of 15.0h assigned and 1.0h from previous period), thus carrying over 1.0h to the next month.
Utkarsh Gupta
did 3.5h (out of 11.0h assigned and 18.5h from previous period), thus carrying over 26.0h to the next month.
Evolution of the situation
In April, we have released 35 DLAs.
The LTS team would like to welcome our newest sponsor, Institut Camille Jordan, a French research lab. Thanks to the support of the many LTS sponsors, the entire Debian community benefits from direct security updates, as well as indirect improvements and collaboration with other members of the Debian community.
As part of improving the efficiency of our work and the quality of the security updates we produce, the LTS has continued improving our workflow. Improvements include more consistent tagging of release versions in Git and broader use of continuous integration (CI) to ensure packages are tested thoroughly and consistently. Sponsors and users can rest assured that we work continuously to maintain and improve the already high quality of the work that we do.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In March and April I worked a total of 28 hours for Freexian's
Debian LTS initiative, out of a maximum of 48 hours.
I updated the linux (4.19) package to the latest stable and
stable-rt updates, and uploaded it at the end of April. I merged
the latest bullseye security update into the linux-5.10 package and
uploaded that at the same time.
Utkarsh Gupta
did 24.25h (out of 49.25h assigned), thus carrying over 8.0h to the next month.
Evolution of the situation
In February, we have released 44 DLAs, which resolved 156 CVEs.
We are glad to welcome some new contributors who will hopefully help us fix CVEs in the supported release even faster.
However, we also experienced some setbacks as a few sponsors have stopped (or decreased) their support. If your company ever hesitated to sponsor Debian LTS, now might be a good time to join to ensure that we can continue this important work without having to scale down on the number of packages that we are able to support.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In January I was assigned 24 hours by Freexian's Debian LTS
initiative and worked 8 hours. In February I was assigned another 8
hours and worked 8 hours.
I updated the linux (4.19) package to the latest stable update, but
didn't upload it. I merged the latest bullseye security update into
the linux-5.10 package and uploaded that.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
This is the first monthly report in 2023.
Debian LTS contributors
In January, 17 contributors have been paid to work on Debian
LTS. which is possibly the highest number of active contributors per month!
Their reports are available:
Abhijith PA
did 0.0h (out of 3.0h assigned and 11.0h from previous period), thus carrying over 14.0h to the next month.
Utkarsh Gupta
did 43.25h (out of 26.25h assigned and 17.0h from previous period).
Evolution of the situation
Furthermore, we released 46 DLAs in January,
which resolved 146 CVEs. We are working diligently to reduce the number of packages listed in dla-needed.txt,
and currently, we have 55 packages listed.
We are constantly growing and seeking new contributors. If you are a Debian Developer and want to join the LTS team,
please contact us.
Thanks to our sponsors
Sponsors that joined recently are in bold.
Dominik George
did 0.0h (out of 10.0h assigned and 14.0h from previous period), thus carrying over 24.0h to the next month.
Emilio Pozuelo Monfort
did 8.0h in December, 8.0h in November (out of 1.5h assigned and 49.5h from previous period), thus carrying over 43.0h to the next month.
Enrico Zini
did 0.0h (out of 0h assigned and 8.0h from previous period), thus carrying over 8.0h to the next month.
Guilhem Moulin
did 17.5h (out of 20.0h assigned), thus carrying over 2.5h to the next month.
Helmut Grohne
did 15.0h (out of 15.0h assigned, 2.5h were taken from the extra-budget and worked on).
Utkarsh Gupta
did 51.5h (out of 42.5h assigned and 9.0h from previous period).
Evolution of the situation
In December, we have released 47 DLAs, closing 232 CVEs.
In the same year, in total we released 394 DLAs, closing 1450 CVEs.
We are constantly growing and seeking new contributors. If you are a Debian Developer and want to join the LTS team,
please contact us.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In December I was assigned 15 hours by Freexian's Debian LTS
initiative and carried over 9 hours from November. I worked
all of those hours.
I merged the latest bullseye point release into the linux-5.10
package, uploaded that, and issued
DLA-3244-1.
I also updated the linux (4.19) package to the latest stable and
and stable-rt versions, uploaded it, and issued
DLA-3245-1.
Utkarsh Gupta
did 41.0h (out of 32.5h assigned and 25.0h from previous period), thus carrying over 16.5h to the next month.
Evolution of the situation
In November, we released 43 DLAs, fixing 183 CVEs.
We currently have 63 packages in dla-needed.txt that are waiting for updates, which is 19 fewer than the previous month.
We re excited to announce that two Debian Developers Tobias Frost
and Guilhem Moulin, have completed the on-boarding process
and will begin contributing to LTS as of December 2022. Welcome aboard!
Thanks to our sponsors
Sponsors that joined recently are in bold.
In November I was assigned 24 hours by Freexian's Debian LTS
initiative. I worked 9 of those hours and will carry over the
remainder.
I updated the linux (4.19) package to the latest stable update, but
didn't upload it. I attended the monthly LTS team meeting.
Utkarsh Gupta
did 35.0h (out of 38.0h assigned and 22.0h from previous period), thus carrying over 25.0h to the next month.
Evolution of the situation
In October, we have released 42 DLAs, closing 106 CVEs.
At the moment we have 82 packages in dla-needed.txt, waiting for update.
We are continuously working on updating our infrastructure, trying to document all of our changes in the git-repo. Most of packages there are having continuous integration (CI) pipelines.
Thanks to our sponsors
Sponsors that joined recently are in bold.
In October I was not assigned additional time by Freexian's Debian
LTS initiative, but carried over 9 hours from September and worked
all those hours.
I updated the linux (4.19) package to the latest stable update, but
didn't upload it. I merged the latest bullseye security update into
the linux-5.10 package, uploaded that, and issued
DLA-3173-1.
I have continued to work for Freexian on Debian LTS. In August I
carried over 21 hours from July, and worked 13 hours. In September
I was assigned an additional 17 hours, and worked 16 hours. I will
carry over 9 hours into October.
In August, Debian 10 "buster" entered LTS status. I spent some time
on the backport of Linux 5.10 for buster. While this previously
existed in buster-backports, further changes were required to add it
as an alternative kernel version in buster-security, particularly
around code signing. When that was complete, I issued
DLA-3102-1.
I also prepared and uploaded an update to the linux (4.19) package.
I issued
DLA-3131-1
for these changes.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In July, we put aside 2389 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In July, 14 contributors have been paid to work on Debian LTS, their reports are available:
Abhijith PA did 0.00h (out of 14.00h assigned, thus carrying over 14.00h to the next month).
Andreas R nnquist did 0.00h (out of 0.00h assigned and 10.50h from previous period, thus carrying over 10.50h to the next month).
Anton Gladky did 23.00h (out of 25.00h assigned, thus carrying over 2.00h to the next month).
Ben Hutchings did 3.00h (out of 24.00h assigned, thus carrying over 21.00h to the next month).
Dominik George did 0.00h (out of 0.00h assigned and 22.17h from previous period, thus carrying over 22.17h to the next month).
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 35.75 available hours, thus carrying them over to the next month).
Evolution of the situation
In July, we have released 3 DLAs. July was the period, when the Debian Stretch had already ELTS status, but Debian Buster was still in the hands of security team. Many member of LTS used this time to update internal infrastructure, documentation and some internal tickets. Now we are ready to take the next release in our hands: Buster!
Thanks to our sponsors
Sponsors that joined recently are in bold.
In July I was assigned 24 hours of work by Freexian's Debian LTS
initiative. I worked 3 hours and will carry over the rest to
August.
In July, no Debian release was in LTS status. However, I spent some
time finishing the DLA text for my upload of linux at the end of
June. I also attended the LTS BoF at DebConf and the regular team
meeting.
Like each month, have a look at the work funded by Freexian s Debian LTS offering.
Debian project funding
No any major updates on running projects. Two 1, 2 projects are in the pipeline now. Tryton project is in a review phase. Gradle projects is still fighting in work.
In June, we put aside 2254 EUR to fund Debian projects.
We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.
Debian LTS contributors
In June, 15 contributors have been paid to work on Debian LTS, their reports are available:
Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 30.25 available hours, thus carrying them over to the next month).
Evolution of the situation
In June we released 27 DLAs.
This is a special month, where we have two releases (stretch and jessie) as ELTS and NO release as LTS. Buster is still handled by the security team and will probably be given in LTS hands at the beginning of the August. During this month we are updating the infrastructure, documentation and improve our internal processes to switch to a new release. Many developers have just returned back from Debconf22, hold in Prizren, Kosovo! Many (E)LTS members could meet face-to-face and discuss some technical and social topics! Also LTS BoF took place, where the project was introduced (link to video).
Thanks to our sponsors
Sponsors that joined recently are in bold. We are pleased to welcome Alter Way where their support of Debian is publicly acknowledged at the higher level, see this French quote of Alterway s CEO.