Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding No any major updates on running projects.
Two 1, 2 projects are in the pipeline now.
Tryton project is in a review phase. Gradle projects is still fighting in work. In June, we put aside 2254 EUR to fund Debian projects. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In June, 15 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.00h (out of 14.00h assigned).
• Andreas R nnquist did 14.50h (out of 14.50h assigned and 10.50h from previous period, thus carrying over 10.50h to the next month).
• Anton Gladky did 16.00h (out of 16.00h assigned).
• Ben Hutchings did 16.00h (out of 0.00h assigned and 16.00h from previous period).
• Chris Lamb did 18.00h (out of 18.00h assigned).
• Dominik George did 1.83h (out of 6.00h assigned and 18.00h from previous period, thus carrying over 22.17h to the next month).
• Emilio Pozuelo Monfort did 30.25h (out of 9.25h assigned and 21.00h from previous period).
• Enrico Zini did 8.00h (out of 9.50h assigned and 6.50h from previous period, thus carrying over 8.00h to the next month).
• Markus Koschany did 30.25h (out of 30.25h assigned).
• Ola Lundqvist did nothing (out of 12.00 available hours, thus carrying them over to the next month).
• Roberto C. S nchez did 27.50h (out of 11.75h assigned and 18.50h from previous period, thus carrying over 2.75h to the next month).
• Stefano Rivera did 8.00h (out of 30.25h assigned, thus carrying over 20.75h to the next month).
• Sylvain Beucler did 30.25h (out of 13.75h assigned and 16.50h from previous period).
• Thorsten Alteholz did 30.25h (out of 30.25h assigned).
• Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 30.25 available hours, thus carrying them over to the next month).

Evolution of the situation In June we released 27 DLAs.

This is a special month, where we have two releases (stretch and jessie) as ELTS and NO release as LTS. Buster is still handled by the security team and will probably be given in LTS hands at the beginning of the August. During this month we are updating the infrastructure, documentation and improve our internal processes to switch to a new release.
Many developers have just returned back from Debconf22, hold in Prizren, Kosovo! Many (E)LTS members could meet face-to-face and discuss some technical and social topics! Also LTS BoF took place, where the project was introduced (link to video).

Thanks to our sponsors Sponsors that joined recently are in bold. We are pleased to welcome Alter Way where their support of Debian is publicly acknowledged at the higher level, see this French quote of Alterway s CEO.

• Platinum sponsors:
  • TOSHIBA (for 82 months)
  • GitHub (for 73 months)
  • Civil Infrastructure Platform (CIP) (for 50 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 93 months)
  • Linode (for 87 months)
  • Babiel GmbH (for 76 months)
  • Plat Home (for 76 months)
  • University of Oxford (for 32 months)
  • Deveryware (for 19 months)
  • VyOS Inc (for 14 months)
  • EDF SA (for 3 months)
• Silver sponsors:
  • Domeneshop AS (for 98 months)
  • The Positive Internet Company (for 98 months)
  • Nantes M tropole (for 92 months)
  • Univention GmbH (for 83 months)
  • Universit Jean Monnet de St Etienne (for 83 months)
  • Ribbon Communications, Inc. (for 77 months)
  • Exonet B.V. (for 67 months)
  • Leibniz Rechenzentrum (for 61 months)
  • CINECA (for 50 months)
  • Minist re de l Europe et des Affaires trang res (for 45 months)
  • Cloudways Ltd (for 34 months)
  • Dinahosting SL (for 32 months)
  • Bauer Xcel Media Deutschland KG (for 26 months)
  • Platform.sh (for 26 months)
  • Moxa Intelligence Co., Ltd. (for 20 months)
  • sipgate GmbH (for 17 months)
  • Tilburg University (for 16 months)
  • OVH US LLC (for 15 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 7 months)
  • Soliton Systems K.K. (for 4 months)
• Bronze sponsors:
  • Evolix (for 98 months)
  • Seznam.cz, a.s. (for 98 months)
  • Intevation GmbH (for 95 months)
  • Linuxhotel GmbH (for 95 months)
  • Daevel SARL (for 94 months)
  • Bitfolk LTD (for 92 months)
  • Megaspace Internet Services GmbH (for 92 months)
  • NUMLOG (for 92 months)
  • Greenbone Networks GmbH (for 91 months)
  • WinGo AG (for 91 months)
  • Ecole Centrale de Nantes LHEEA (for 87 months)
  • Entr ouvert (for 82 months)
  • Adfinis AG (for 80 months)
  • GNI MEDIA (for 74 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 74 months)
  • Tesorion (for 74 months)
  • Bearstech (for 66 months)
  • LiHAS (for 65 months)
  • Catalyst IT Ltd (for 60 months)
  • Supagro (for 55 months)
  • Demarcq SAS (for 54 months)
  • Universit Grenoble Alpes (for 40 months)
  • TouchWeb SAS (for 32 months)
  • SPiN AG (for 29 months)
  • CoreFiling (for 24 months)
  • Institut des sciences cognitives Marc Jeannerod (for 19 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 16 months)
  • Tem Innovations GmbH (for 11 months)
  • WordFinder.pro (for 10 months)
  • CNRS DT INSU R sif (for 9 months)
  • Alter Way

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding Two [1, 2] projects are in the pipeline now. Tryton project is in a final phase. Gradle projects is fighting with technical difficulties. In May, we put aside 2233 EUR to fund Debian projects. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In May, 14 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 14h assigned).
• Andreas R nnquist did 14.5h (out of 25.0h assigned), thus carrying over 10.5h to June.
• Anton Gladky did 19h (out of 19h assigned).
• Ben Hutchings did 8h (out of 11h assigned and 13h from April), thus carrying over 16h to June.
• Chris Lamb did 18h (out of 18h assigned).
• Dominik George did 2h (out of 20.0h assigned), thus carrying over 18h to June.
• Enrico Zini did 9.5h (out of 16.0h assigned), thus carrying over 6.5h to June.
• Emilio Pozuelo Monfort did 28h (out of 13.75h assigned and 35.25h from April), thus carrying over 21h to June.
• Markus Koschany did 40h (out of 40h assigned).
• Roberto C. S nchez did 13.5h (out of 32h assigned), thus carrying over 18.5h to June.
• Sylvain Beucler did 23.5h (out of 20h assigned and 20h from April), thus carrying over 16.5h to June.
• Stefano Rivera did 5h in April and 14h in May (out of 17.5h assigned), thus anticipating 1.5h for June.
• Thorsten Alteholz did 40h (out of 40h assigned).
• Utkarsh Gupta did 35h (out of 19h assigned and 30h from April), thus carrying over 14h to June.

Evolution of the situation In May we released 49 DLAs. The security tracker currently lists 71 packages with a known CVE and the dla-needed.txt file has 65 packages needing an update. The number of paid contributors increased significantly, we are pleased to welcome our latest team members: Andreas R nnquist, Dominik George, Enrico Zini and Stefano Rivera. It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org. We are preparing to overtake Debian 10 Buster for the next two years and to make this process as smooth as possible. But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe! You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 81 months)
  • GitHub (for 72 months)
  • Civil Infrastructure Platform (CIP) (for 49 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 92 months)
  • Linode (for 86 months)
  • Babiel GmbH (for 75 months)
  • Plat Home (for 75 months)
  • University of Oxford (for 31 months)
  • Deveryware (for 18 months)
  • VyOS Inc (for 13 months)
  • EDF SA
• Silver sponsors:
  • The Positive Internet Company (for 97 months)
  • Domeneshop AS (for 96 months)
  • Nantes M tropole (for 90 months)
  • Univention GmbH (for 82 months)
  • Universit Jean Monnet de St Etienne (for 82 months)
  • Ribbon Communications, Inc. (for 76 months)
  • Exonet B.V. (for 66 months)
  • Leibniz Rechenzentrum (for 60 months)
  • CINECA (for 49 months)
  • Minist re de l Europe et des Affaires trang res (for 43 months)
  • Cloudways Ltd (for 33 months)
  • Dinahosting SL (for 31 months)
  • Bauer Xcel Media Deutschland KG (for 25 months)
  • Platform.sh (for 25 months)
  • Moxa Intelligence Co., Ltd. (for 19 months)
  • sipgate GmbH (for 16 months)
  • OVH US LLC (for 14 months)
  • Tilburg University (for 14 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 6 months)
  • Telecats BV (for 4 months)
  • Soliton Systems K.K. (for 3 months)
• Bronze sponsors:
  • Evolix (for 97 months)
  • Seznam.cz, a.s. (for 97 months)
  • Intevation GmbH (for 94 months)
  • Linuxhotel GmbH (for 94 months)
  • Daevel SARL (for 92 months)
  • Bitfolk LTD (for 91 months)
  • Megaspace Internet Services GmbH (for 91 months)
  • Greenbone Networks GmbH (for 90 months)
  • NUMLOG (for 90 months)
  • WinGo AG (for 90 months)
  • Ecole Centrale de Nantes LHEEA (for 86 months)
  • Entr ouvert (for 81 months)
  • Adfinis AG (for 78 months)
  • GNI MEDIA (for 73 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 73 months)
  • Tesorion (for 73 months)
  • Bearstech (for 64 months)
  • LiHAS (for 64 months)
  • People Doc (for 61 months)
  • Catalyst IT Ltd (for 59 months)
  • Supagro (for 54 months)
  • Demarcq SAS (for 53 months)
  • Universit Grenoble Alpes (for 39 months)
  • TouchWeb SAS (for 31 months)
  • SPiN AG (for 28 months)
  • CoreFiling (for 23 months)
  • Institut des sciences cognitives Marc Jeannerod (for 18 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 15 months)
  • Tem Innovations GmbH (for 10 months)
  • WordFinder.pro (for 9 months)
  • CNRS DT INSU R sif (for 8 months)
  • Alter Way

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding Two projects are currently in the pipeline: Gradle enterprise and Tryton update. Progress is quite slow on the Gradle one, there are technical difficulties. The tryton one was stalled because the developer had not enough time but seems to progress smoothly in the last weeks. In April, we put aside 2635 EUR to fund Debian projects. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In April, 11 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14h out of 14h assigned
• Anton Gladky did 20h out of 20h assigned
• Ben Hutchings did 11h out of 16h assigned and 8h from March, thus carrying over 13h to May
• Chris Lamb did 18h out of 18h assigned
• Emilio Pozuelo Monfort did 18h (out of 53.25h assigned), thus carrying over 35.25h to May
• Jeremiah Foster did 9.5h out of 13.5h assigned, thus carrying over 4h to May
• Markus Koschany did 40 out of 40h assigned
• Roberto C. S nchez did 18h carried out from March
• Sylvain Beucler did 20h out of 14.5h assigned and 25.5h from March, thus carrying over 20h to May
• Thorsten Alteholz did 40h out of 40h assigned
• Utkarsh Gupta did 23.25h out of 51.5h assigned and 1.75h from March, thus carrying over 30h to May

Evolution of the situation In April we released 30 DLAs and we were glad to welcome a new customer with Alter Way. The security tracker currently lists 72 packages with a known CVE and the dla-needed.txt file has 71 packages needing an update. It is worth pointing out that we are getting close to the end of the LTS period for Debian 9. After June 30th, no new security updates will be made available on security.debian.org. But Freexian and its team of paid Debian contributors will continue to maintain Debian 9 going forward for the customers of the Extended LTS offer. If you have Debian 9 servers to keep secure, it s time to subscribe! You might not have noticed, but Freexian formalized a mission statement where we explain that our purpose is to help improve Debian. For this, we want to fund work time for the Debian developers that recently joined Freexian as collaborators. The Extended LTS and the PHP LTS offers are built following a model that will help us to achieve this if we manage to have enough customers for those offers. So consider subscribing: you help your organization but you also help Debian! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 80 months)
  • GitHub (for 71 months)
  • Civil Infrastructure Platform (CIP) (for 48 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 91 months)
  • Linode (for 85 months)
  • Babiel GmbH (for 75 months)
  • Plat Home (for 74 months)
  • University of Oxford (for 30 months)
  • Deveryware (for 17 months)
  • VyOS Inc (for 12 months)
  • EDF SA
• Silver sponsors:
  • The Positive Internet Company (for 97 months)
  • Domeneshop AS (for 96 months)
  • Nantes M tropole (for 90 months)
  • Universit Jean Monnet de St Etienne (for 82 months)
  • Univention GmbH (for 81 months)
  • Ribbon Communications, Inc. (for 75 months)
  • Exonet B.V. (for 65 months)
  • Leibniz Rechenzentrum (for 59 months)
  • CINECA (for 49 months)
  • Minist re de l Europe et des Affaires trang res (for 43 months)
  • Cloudways Ltd (for 32 months)
  • Dinahosting SL (for 30 months)
  • Bauer Xcel Media Deutschland KG (for 24 months)
  • Platform.sh (for 24 months)
  • Moxa Intelligence Co., Ltd. (for 18 months)
  • sipgate GmbH (for 15 months)
  • Tilburg University (for 14 months)
  • OVH US LLC (for 13 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 5 months)
  • Telecats BV (for 3 months)
  • Soliton Systems K.K.
• Bronze sponsors:
  • Evolix (for 96 months)
  • Seznam.cz, a.s. (for 96 months)
  • Intevation GmbH (for 93 months)
  • Linuxhotel GmbH (for 93 months)
  • Daevel SARL (for 92 months)
  • Bitfolk LTD (for 91 months)
  • Megaspace Internet Services GmbH (for 91 months)
  • Greenbone Networks GmbH (for 90 months)
  • NUMLOG (for 90 months)
  • WinGo AG (for 89 months)
  • Ecole Centrale de Nantes LHEEA (for 85 months)
  • Entr ouvert (for 80 months)
  • Adfinis AG (for 78 months)
  • GNI MEDIA (for 72 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 72 months)
  • Tesorion (for 72 months)
  • Bearstech (for 64 months)
  • LiHAS (for 64 months)
  • People Doc (for 60 months)
  • Catalyst IT Ltd (for 58 months)
  • Supagro (for 54 months)
  • Demarcq SAS (for 52 months)
  • Universit Grenoble Alpes (for 38 months)
  • TouchWeb SAS (for 30 months)
  • SPiN AG (for 27 months)
  • CoreFiling (for 23 months)
  • Institut des sciences cognitives Marc Jeannerod (for 17 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 14 months)
  • Tem Innovations GmbH (for 9 months)
  • WordFinder.pro (for 8 months)
  • CNRS DT INSU R sif (for 7 months)
  • Alter Way

Every month we review the work funded by Freexian s Debian LTS offering. Please find the report for March below. Debian project funding

• There was no new activity in Debian project funding in the two existing projects. However, there was a survey run with hundreds of Debian Developers and Debian contributors. The survey results are being collated and we will use the anonymized data to further develop the Freexian project funding initiative.
• We are preparing to more broadly announce additional support for Debian 8 Jessie and Debian 9 Stretch. Now, Debian 8 can be supported until June 2025 and Debian 9 until June 2027. More information on ELTS support is available.
• In March 2250 was put aside to fund Debian projects.

Learn more about the rationale behind this initiative in this article. Debian LTS contributors In March, 11 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.

• Abhijith PA did 12.0h out of 12h assigned.
• Anton Gladky did 20h out of 20h assigned.
• Ben Hutchings did 16h out of 24h assigned.
• Chris Lamb did 18h out of 18h assigned.
• Emilio Pozuelo Monfort did 59.5h out of 59.5h assigned.
• Jeremiah Foster did 13.5 out of 20h assigned.
• Markus Koschany did 40h out of 40h assigned.
• Roberto C. S nchez did 14h out of 32h assigned, carrying over 18h
• Sylvain Beucler did 14.5h out of 40h assigned, carrying over 25.5h
• Thorsten Alteholz did 40h out of 40h assigned.
• Utkarsh Gupta did 57.75h out of 59.5h assigned, carrying over 1.75 hours.

Evolution of the situation In March we released 42 DLAs. The security tracker currently lists 81 packages with a known CVE and the dla-needed.txt file has 52 packages needing an update. We re glad to welcome a few new sponsors such as lectricit de France (Gold sponsor), Telecats BV and Soliton Systems. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 79 months)
  • GitHub (for 70 months)
  • Civil Infrastructure Platform (CIP) (for 47 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 90 months)
  • Linode (for 84 months)
  • Babiel GmbH (for 73 months)
  • Plat Home (for 73 months)
  • University of Oxford (for 29 months)
  • Deveryware (for 16 months)
  • VyOS Inc (for 11 months)
  • EDF SA
• Silver sponsors:
  • Domeneshop AS (for 95 months)
  • The Positive Internet Company (for 95 months)
  • Nantes M tropole (for 89 months)
  • Univention GmbH (for 80 months)
  • Universit Jean Monnet de St Etienne (for 80 months)
  • Ribbon Communications, Inc. (for 74 months)
  • Exonet B.V. (for 64 months)
  • Leibniz Rechenzentrum (for 58 months)
  • CINECA (for 47 months)
  • Minist re de l Europe et des Affaires trang res (for 42 months)
  • Cloudways Ltd (for 31 months)
  • Dinahosting SL (for 29 months)
  • Bauer Xcel Media Deutschland KG (for 23 months)
  • Platform.sh (for 23 months)
  • Moxa Intelligence Co., Ltd. (for 17 months)
  • sipgate GmbH (for 14 months)
  • Tilburg University (for 13 months)
  • OVH US LLC (for 12 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH (for 4 months)
  • Telecats BV
  • Soliton Systems K.K.
• Bronze sponsors:
  • Evolix (for 95 months)
  • Seznam.cz, a.s. (for 95 months)
  • Intevation GmbH (for 92 months)
  • Linuxhotel GmbH (for 92 months)
  • Daevel SARL (for 91 months)
  • Bitfolk LTD (for 89 months)
  • Megaspace Internet Services GmbH (for 89 months)
  • NUMLOG (for 89 months)
  • Greenbone Networks GmbH (for 88 months)
  • WinGo AG (for 88 months)
  • Ecole Centrale de Nantes LHEEA (for 84 months)
  • Entr ouvert (for 79 months)
  • Adfinis AG (for 77 months)
  • GNI MEDIA (for 71 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 71 months)
  • Tesorion (for 71 months)
  • Bearstech (for 63 months)
  • LiHAS (for 62 months)
  • People Doc (for 59 months)
  • Catalyst IT Ltd (for 57 months)
  • Supagro (for 52 months)
  • Demarcq SAS (for 51 months)
  • Universit Grenoble Alpes (for 37 months)
  • TouchWeb SAS (for 29 months)
  • SPiN AG (for 26 months)
  • CoreFiling (for 22 months)
  • Institut des sciences cognitives Marc Jeannerod (for 16 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 13 months)
  • Tem Innovations GmbH (for 8 months)
  • WordFinder.pro (for 7 months)
  • CNRS DT INSU R sif (for 6 months)

Every month we review the work funded by Freexian s Debian LTS offering. Please find the report for February below. Debian project funding

• In February Rapha l and the LTS worked on a survey of Debian developers meant to solicit ideas for improvements in the Debian project at large. You can see the results of the initial discussion here in the list of ideas of which there are already over 30.
• The full survey is due to be emailed to Debian Developers shortly.
• In February 2250 was put aside to fund Debian projects.

Debian LTS contributors In February, 12 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l if you are if you are interested in participating.

• Abhijith PA did 10h out of 10h available.
• Anton Gladky did 20h out of 20h available.
• Ben Hutchings did 16h out of 16h available.
• Chris Lamb did 18h out of 18h available.
• Emilio Pozuelo Monfort did 42.75h out of 42.75h available.
• Jeremiah Foster worked 20 hours out of 20 available on LTS administration and 2.9 hours on funded projects.
• Markus Koschany did 30h (out of 40h available), thus carrying over 10h to March.
• Roberto C. S nchez did 12h out of 12h available.
• Sylvain Beucler did 13h (out of 40h available), thus carrying over 27h to March.
• Thorsten Alteholz did 40h out of 40h available.
• Utkarsh Gupta did 15.75h (out of 42.75h available), thus carrying over 27h to March.

Evolution of the situation In February we released 24 DLAs. The security tracker currently lists 61 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update. You can find out more about the Debian LTS project via the following video:

Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 78 months)
  • GitHub (for 68 months)
  • Civil Infrastructure Platform (CIP) (for 46 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 89 months)
  • Linode (for 83 months)
  • Babiel GmbH (for 72 months)
  • Plat Home (for 71 months)
  • University of Oxford (for 28 months)
  • Deveryware (for 15 months)
  • VyOS Inc (for 10 months)
• Silver sponsors:
  • The Positive Internet Company (for 94 months)
  • Domeneshop AS (for 93 months)
  • Nantes M tropole (for 87 months)
  • Univention GmbH (for 79 months)
  • Universit Jean Monnet de St Etienne (for 79 months)
  • Ribbon Communications, Inc. (for 73 months)
  • Exonet B.V. (for 63 months)
  • Leibniz Rechenzentrum (for 57 months)
  • CINECA (for 46 months)
  • Minist re de l Europe et des Affaires trang res (for 40 months)
  • Cloudways Ltd (for 29 months)
  • Dinahosting SL (for 27 months)
  • Platform.sh (for 22 months)
  • Bauer Xcel Media Deutschland KG (for 21 months)
  • Moxa Intelligence Co., Ltd. (for 16 months)
  • sipgate GmbH (for 13 months)
  • OVH US LLC (for 11 months)
  • Tilburg University (for 11 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH
  • Telecats BV
  • Soliton Systems K.K.
• Bronze sponsors:
  • Evolix (for 94 months)
  • Seznam.cz, a.s. (for 94 months)
  • Linuxhotel GmbH (for 91 months)
  • Intevation GmbH (for 90 months)
  • Daevel SARL (for 89 months)
  • Bitfolk LTD (for 88 months)
  • Megaspace Internet Services GmbH (for 88 months)
  • Greenbone Networks GmbH (for 87 months)
  • NUMLOG (for 87 months)
  • WinGo AG (for 86 months)
  • Ecole Centrale de Nantes LHEEA (for 83 months)
  • Entr ouvert (for 78 months)
  • Adfinis AG (for 75 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 70 months)
  • Tesorion (for 70 months)
  • GNI MEDIA (for 69 months)
  • Bearstech (for 61 months)
  • LiHAS (for 61 months)
  • People Doc (for 57 months)
  • Catalyst IT Ltd (for 56 months)
  • Supagro (for 51 months)
  • Demarcq SAS (for 50 months)
  • Universit Grenoble Alpes (for 36 months)
  • TouchWeb SAS (for 28 months)
  • SPiN AG (for 24 months)
  • CoreFiling (for 20 months)
  • Institut des sciences cognitives Marc Jeannerod (for 15 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 11 months)
  • Tem Innovations GmbH (for 6 months)
  • WordFinder.pro (for 6 months)
  • CNRS DT INSU R sif (for 4 months)

Every month we review the work funded by Freexian s Debian LTS offering. Please find the report for January below. Debian project funding

• In January we saw a new funded project proposed. The project is meant to bring in a number of changes to the Tryton modules and packages in Debian. Tryton, a full featured, entirely open source business software platform, is supported by its own foundation. You can track the current status of all our funded projects at its dedicated web page.
• Folks continue to add to the Grow Your Ideas project page, that s great.
• In January 2550 was put aside to fund Debian projects.

We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project. Learn more about the rationale behind this initiative in this article. Debian LTS contributors In January, 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah or Rapha l.

• Abhijith Pa worked 5 hours out of 5 available.
• Anton Gladky worked 12 hours out of 12 available.
• Ben Hutchings worked 16 hours out of 24 available and carried over 8 for February.
• Chris Lamb worked 18 hours out of 18 available.
• Emilio Pozuelo Monfort worked 55 hours out of 58.25 available and carried over 3.25 for February
• Jeremiah Foster worked 20 hours out of 20 available on LTS administration and 8.3 hours on funded projects.
• Lee Garrett didn t spend any hours in January and carries over 39.25 hours to February
• Markus Koschany worked 34 hours out of 40 available and carried over 6 for February.
• Ola Lundqvist reported via email that they didn t spend any hours in January and carries over 11 from December for a total of 12 hours for February.
• Roberto C. Sanchez worked 9 hours out of 32 available and carried over 23 for February
• Sylvain Beucler worked 22 hours out of 40 available and carried over 14 for February
• Thorsten Alteholz worked 40 hours out of 40 available.
• Utkarsh Gupta worked 58.25 hours out of 58.25 available.

Evolution of the situation In January we released 34 DLAs. The security tracker currently lists 39 packages with a known CVE and the dla-needed.txt file has 20 packages still needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 77 months)
  • GitHub (for 68 months)
  • Civil Infrastructure Platform (CIP) (for 45 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 88 months)
  • Linode (for 82 months)
  • Babiel GmbH (for 71 months)
  • Plat Home (for 71 months)
  • University of Oxford (for 27 months)
  • Deveryware (for 14 months)
  • VyOS Inc (for 9 months)
• Silver sponsors:
  • The Positive Internet Company (for 93 months)
  • Domeneshop AS (for 92 months)
  • Nantes M tropole (for 86 months)
  • Univention GmbH (for 78 months)
  • Universit Jean Monnet de St Etienne (for 78 months)
  • Ribbon Communications, Inc. (for 72 months)
  • Exonet B.V. (for 62 months)
  • Leibniz Rechenzentrum (for 56 months)
  • CINECA (for 45 months)
  • Minist re de l Europe et des Affaires trang res (for 39 months)
  • Cloudways Ltd (for 29 months)
  • Dinahosting SL (for 27 months)
  • Bauer Xcel Media Deutschland KG (for 21 months)
  • Platform.sh (for 21 months)
  • Moxa Intelligence Co., Ltd. (for 15 months)
  • sipgate GmbH (for 12 months)
  • OVH US LLC (for 10 months)
  • Tilburg University (for 10 months)
  • GSI Helmholtzzentrum f r Schwerionenforschung GmbH
  • Telecats BV
• Bronze sponsors:
  • Evolix (for 93 months)
  • Seznam.cz, a.s. (for 93 months)
  • Intevation GmbH (for 90 months)
  • Linuxhotel GmbH (for 90 months)
  • Daevel SARL (for 88 months)
  • Bitfolk LTD (for 87 months)
  • Megaspace Internet Services GmbH (for 87 months)
  • Greenbone Networks GmbH (for 86 months)
  • NUMLOG (for 86 months)
  • WinGo AG (for 86 months)
  • Ecole Centrale de Nantes LHEEA (for 82 months)
  • Entr ouvert (for 77 months)
  • Adfinis AG (for 74 months)
  • GNI MEDIA (for 69 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 69 months)
  • Tesorion (for 69 months)
  • Bearstech (for 60 months)
  • LiHAS (for 60 months)
  • People Doc (for 57 months)
  • Catalyst IT Ltd (for 55 months)
  • Supagro (for 50 months)
  • Demarcq SAS (for 49 months)
  • Universit Grenoble Alpes (for 35 months)
  • TouchWeb SAS (for 27 months)
  • SPiN AG (for 24 months)
  • CoreFiling (for 19 months)
  • Institut des sciences cognitives Marc Jeannerod (for 14 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 11 months)
  • Tem Innovations GmbH (for 6 months)
  • WordFinder.pro (for 5 months)
  • CNRS DT INSU R sif (for 4 months)

Every month we review the work funded by Freexian s Debian LTS offering. Please find the report for November below. Debian project funding

• Our project funding work continues with an active bid on the work of packaging a recent gradle in Debian. This month the bidder has been estimating the scope of the entire project.
• The Grow Your Ideas project page also has some ambitious initiatives that may evolve into a funded project. The project ideas on that page range from a new wiki for Debian, a more efficient reimbursement process, and the implementation of PPAs for Debian.
• In November 2625 was put aside to fund Debian projects.

We continue to looking forward to hearing about Debian project proposals from various Debian stakeholders. This month has seen work on a survey that will go out to Debian Developers to gather feedback on what they think should be the priorities for funding in the project. Learn more about the rationale behind this initiative in this article. Debian LTS contributors In November 13 contributors were paid to work on Debian LTS, their reports are available below. If you re interested in participating in the LTS or ELTS teams, we welcome participation from the Debian community. Simply get in touch with Jeremiah if you are interested in participating.

• Adrian Bunk did 62h out of 56h assigned for November and 6h from October.
• Anton Gladky did 12h out of 12h assigned.
• Ben Hutchings did 20h (out of 16h available, thus anticipating 4h from December).
• Chris Lamb did 18h out of 18h assigned.
• Holger Levsen gave back 3h (out of 3h assigned).
• Jeremiah Foster is coordinating/managing the LTS team did 29h (out of 10h assigned and 10h from October for LTS administration), and spent 9 hours on Projects funded directly through the project funding program.
• Lee Garrett did 9 hours out 60 assigned and carried over 51h into December
• Markus Koschany did 30h out of 30h assigned.
• Neil Williams did 1.5h (out of 11.5h assigned and 28.5h from October). He gave back the remaining hours.
• Roberto C. S nchez did 31.5h (out of 32h assigned), thus carrying over .5h to December.
• Sylvain Beucler did 21.5h (out of 62h assigned), thus carrying over 40.5h to December.
• Thorsten Alteholz did 40h (out of 40h assigned).
• Utkarsh Gupta did 30 (out of 40h assigned), thus carrying over 10h to December.

Evolution of the situation In November we released 31 DLAs. The security tracker currently lists 23 packages with a known CVE and the dla-needed.txt file has 16 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 75 months)
  • GitHub (for 65 months)
  • Civil Infrastructure Platform (CIP) (for 43 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 86 months)
  • Linode (for 80 months)
  • Babiel GmbH (for 69 months)
  • Plat Home (for 68 months)
  • University of Oxford (for 25 months)
  • Deveryware (for 12 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 91 months)
  • Domeneshop AS (for 90 months)
  • Nantes M tropole (for 84 months)
  • Univention GmbH (for 76 months)
  • Universit Jean Monnet de St Etienne (for 76 months)
  • Ribbon Communications, Inc. (for 70 months)
  • Exonet B.V. (for 59 months)
  • Leibniz Rechenzentrum (for 54 months)
  • CINECA (for 43 months)
  • Minist re de l Europe et des Affaires trang res (for 37 months)
  • Cloudways Ltd (for 26 months)
  • Dinahosting SL (for 24 months)
  • Platform.sh (for 19 months)
  • Bauer Xcel Media Deutschland KG (for 18 months)
  • Moxa Intelligence Co., Ltd. (for 13 months)
  • sipgate GmbH (for 10 months)
  • OVH US LLC (for 8 months)
  • Tilburg University (for 8 months)
• Bronze sponsors:
  • Evolix (for 91 months)
  • Seznam.cz, a.s. (for 91 months)
  • Linuxhotel GmbH (for 88 months)
  • Intevation GmbH (for 87 months)
  • Daevel SARL (for 86 months)
  • Bitfolk LTD (for 85 months)
  • Megaspace Internet Services GmbH (for 85 months)
  • Greenbone Networks GmbH (for 84 months)
  • NUMLOG (for 84 months)
  • WinGo AG (for 83 months)
  • Ecole Centrale de Nantes LHEEA (for 80 months)
  • Entr ouvert (for 75 months)
  • Adfinis AG (for 72 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 67 months)
  • Tesorion (for 67 months)
  • GNI MEDIA (for 66 months)
  • Bearstech (for 58 months)
  • LiHAS (for 58 months)
  • People Doc (for 54 months)
  • Catalyst IT Ltd (for 53 months)
  • Supagro (for 48 months)
  • Demarcq SAS (for 47 months)
  • Universit Grenoble Alpes (for 33 months)
  • TouchWeb SAS (for 25 months)
  • SPiN AG (for 21 months)
  • CoreFiling (for 17 months)
  • Institut des sciences cognitives Marc Jeannerod (for 12 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 8 months)
  • Tem Innovations GmbH (for 3 months)
  • WordFinder.pro (for 3 months)
  • CNRS DT INSU R sif

Every month we review the work funded by Freexian s Debian LTS offering. Please find the report for October below. Debian project funding

• Our project funding work continues with an active bid on the work of packaging gradle in Debian. The next steps are reviewing the bid and formal approval.
• In October 2,475 EUR was put aside to fund Debian projects.

We re looking forward to receiving more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In October 12 contributors were paid to work on Debian LTS, their reports are available below.

• Adrian Bunk did 40.5h in October (out of 28.5h assigned and 18h remaining, thus keeping 6h for November).
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 14.75h in October (out of 2h assigned and 28h remaining, thus keeping 15.25h for November).
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen did 1h (out of 12h assigned, but gave back the remaining 11h).
• Jeremiah Foster worked 20h (out of 20h assigned and 10h remaining, thus keeping 10h for November).
• Markus Koschany did 28.5h (out of 28.5h assigned).
• Ola Lundqvist did 5h (out of 5h assigned).
• Roberto C. S nchez did 28.5h (out of 28.5h assigned).
• Sylvain Beucler did 23.5h (out of 28.5h assigned, but gave back the remaining 5h).
• Thorsten Alteholz did 28.5h (out of 28.5h assigned).
• Utkarsh Gupta did 28.5h (out of 28.5h assigned).

Evolution of the situation In October we released 34 DLAs.

Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested! The security tracker currently lists 37 packages with a known CVE and the dla-needed.txt file has 22 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 74 months)
  • GitHub (for 64 months)
  • Civil Infrastructure Platform (CIP) (for 42 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 85 months)
  • Linode (for 79 months)
  • Babiel GmbH (for 68 months)
  • Plat Home (for 67 months)
  • University of Oxford (for 24 months)
  • Deveryware (for 11 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 90 months)
  • Domeneshop AS (for 89 months)
  • Nantes M tropole (for 83 months)
  • Univention GmbH (for 75 months)
  • Universit Jean Monnet de St Etienne (for 75 months)
  • Ribbon Communications, Inc. (for 69 months)
  • Exonet B.V. (for 59 months)
  • Leibniz Rechenzentrum (for 53 months)
  • CINECA (for 42 months)
  • Minist re de l Europe et des Affaires trang res (for 36 months)
  • Cloudways Ltd (for 25 months)
  • Dinahosting SL (for 23 months)
  • Platform.sh (for 18 months)
  • Bauer Xcel Media Deutschland KG (for 17 months)
  • Moxa Intelligence Co., Ltd. (for 12 months)
  • sipgate GmbH (for 9 months)
  • OVH US LLC (for 7 months)
  • Tilburg University (for 7 months)
• Bronze sponsors:
  • Evolix (for 90 months)
  • Seznam.cz, a.s. (for 90 months)
  • Linuxhotel GmbH (for 87 months)
  • Intevation GmbH (for 86 months)
  • Daevel SARL (for 85 months)
  • Bitfolk LTD (for 84 months)
  • Megaspace Internet Services GmbH (for 84 months)
  • Greenbone Networks GmbH (for 83 months)
  • NUMLOG (for 83 months)
  • WinGo AG (for 82 months)
  • Ecole Centrale de Nantes LHEEA (for 79 months)
  • Entr ouvert (for 74 months)
  • Adfinis AG (for 71 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 66 months)
  • Tesorion (for 66 months)
  • GNI MEDIA (for 65 months)
  • Bearstech (for 57 months)
  • LiHAS (for 57 months)
  • People Doc (for 53 months)
  • Catalyst IT Ltd (for 52 months)
  • Supagro (for 47 months)
  • Demarcq SAS (for 46 months)
  • Universit Grenoble Alpes (for 32 months)
  • TouchWeb SAS (for 24 months)
  • SPiN AG (for 20 months)
  • CoreFiling (for 16 months)
  • Institut des sciences cognitives Marc Jeannerod (for 11 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 7 months)
  • Tem Innovations GmbH
  • WordFinder.pro
  • CNRS DT INSU R sif

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding Folks from the LTS team, along with members of the Debian Android Tools team and Phil Morrel, have proposed work on the Java build tool, gradle, which is currently blocked due to the need to build with a plugin not available in Debian. The LTS team reviewed the project submission and it has been approved. After approval we ve created a Request for Bids which is active now. You ll hear more about this through official Debian channels, but in the meantime, if you feel you can help with this project, please submit a bid. Thanks! This September, Freexian set aside 2550 EUR to fund Debian projects. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In September, 15 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA has returned hours and marked themselves inactive, at least for the time being. He did 0h out of 14h, carried over 14h and returned 28h.
• Adrian Bunk did 19.5h (out of 24.75h assigned and 12.75 from August), carrying over 18h to October.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 2h (out of 12.75h assigned and 19.25h from August), thus carrying over 30h to October.
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 5.5h assigned plus 74.5h from August), thus is carrying over 80h for October.
• Holger Levsen did 3h (out of 12h assigned) and gave back 9h and carried over 3h.
• Jeremiah Foster worked 10 hours (out of 20h assigned) on LTS work, carrying over 10h.
• Lee Garrett did not report back about their work so we assume they did nothing (out of 24.75h assigned and 23.75 from August), thus is carrying over 48.50h for October.
• Markus Koschany did 43.5h (out of 24.75h assigned and 18.75h from August)
• Neil Williams did 24.5h (out of 24.75h assigned)
• Roberto C. S nchez did 6h (out of 24.75h assigned and gave back 18.75h)
• Sylvain Beucler did 27h (out of 24.75h assigned).
• Thorsten Alteholz did 24.75h (out of 24.75h assigned).
• Utkarsh Gupta did 24.75h (out of 24.75h assigned) but did not publish his report yet.
• Ola Lundqvist did 2 hours (out of 21h carried over from previous months), and is thus carrying 19h for October.

Evolution of the situation In September we released 30 DLAs. September was also the second month of Jeremiah coordinating LTS contributors. Also, we would like say that we are always looking for new contributors to LTS. Please contact Jeremiah if you are interested! The security tracker currently lists 33 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 73 months)
  • GitHub (for 64 months)
  • Civil Infrastructure Platform (CIP) (for 41 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 84 months)
  • Linode (for 78 months)
  • Babiel GmbH (for 67 months)
  • Plat Home (for 67 months)
  • University of Oxford (for 23 months)
  • Deveryware (for 10 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 89 months)
  • Domeneshop AS (for 88 months)
  • Nantes M tropole (for 82 months)
  • Univention GmbH (for 74 months)
  • Universit Jean Monnet de St Etienne (for 74 months)
  • Ribbon Communications, Inc. (for 68 months)
  • Exonet B.V. (for 58 months)
  • Leibniz Rechenzentrum (for 52 months)
  • CINECA (for 41 months)
  • Minist re de l Europe et des Affaires trang res (for 35 months)
  • Cloudways Ltd (for 24 months)
  • Dinahosting SL (for 22 months)
  • Bauer Xcel Media Deutschland KG (for 17 months)
  • Platform.sh (for 17 months)
  • Moxa Intelligence Co., Ltd. (for 11 months)
  • sipgate GmbH (for 8 months)
  • OVH US LLC (for 6 months)
  • Tilburg University (for 6 months)
• Bronze sponsors:
  • Evolix (for 89 months)
  • Seznam.cz, a.s. (for 89 months)
  • Linuxhotel GmbH (for 86 months)
  • Intevation GmbH (for 85 months)
  • Daevel SARL (for 84 months)
  • Bitfolk LTD (for 83 months)
  • Megaspace Internet Services GmbH (for 83 months)
  • Greenbone Networks GmbH (for 82 months)
  • NUMLOG (for 82 months)
  • WinGo AG (for 81 months)
  • Ecole Centrale de Nantes LHEEA (for 78 months)
  • Entr ouvert (for 73 months)
  • Adfinis AG (for 70 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 65 months)
  • Tesorion (for 65 months)
  • GNI MEDIA (for 64 months)
  • Bearstech (for 56 months)
  • LiHAS (for 56 months)
  • People Doc (for 52 months)
  • Catalyst IT Ltd (for 51 months)
  • Demarcq SAS (for 45 months)
  • Universit Grenoble Alpes (for 31 months)
  • TouchWeb SAS (for 23 months)
  • SPiN AG (for 19 months)
  • CoreFiling (for 15 months)
  • Institut des sciences cognitives Marc Jeannerod (for 10 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 7 months)
  • Tem Innovations GmbH
  • WordFinder.pro

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In August, we put aside 2460 EUR to fund Debian projects. We received a new project proposal that got approved and there s an associated bid request if you feel like proposing yourself to implement this project. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In August, 14 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 4.0h (out of 14h assigned and 5h from August), thus carrying over 15h to September.
• Adrian Bunk did 11h (out of 23.75h assigned), thus carrying over 12.75h to September.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 1.25h (out of 13.25h assigned and 6h from August), thus carrying over 18h to September.
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 23.75h assigned plus 50.75h from August), thus is carrying over 74.5h for September.
• Holger Levsen did 3h (out of 12h assigned) to help coordinate the team, and gave back the remaining hours.
• Lee Garrett did nothing (out of 23.75h assigned), thus is carrying over 23.75h for September.
• Markus Koschany did 35h (out of 23.75h assigned and 30h from August), thus carrying over 18.75h to September.
• Neil Williams did 24h (out of 23.75h assigned), thus anticipating 0.25h of October.
• Roberto C. S nchez did 22.25h (out of 23.75h assigned), thus carrying over 1.5h to September.
• Sylvain Beucler did 21.5h (out of 23.75h assigned), thus carrying over 2.25h to September.
• Thorsten Alteholz did 23.75h (out of 23.75h assigned).
• Utkarsh Gupta did 23.75h (out of 23.75h assigned).

Evolution of the situation In August we released 30 DLAs.

This is the first month of Jeremiah coordinating LTS contributors. We would like to thank Holger Levsen for his work on this role up to now.

Also, we would like to remark once again that we are constantly looking for new contributors. Please contact Jeremiah if you are interested! The security tracker currently lists 73 packages with a known CVE and the dla-needed.txt file has 29 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 72 months)
  • GitHub (for 63 months)
  • Civil Infrastructure Platform (CIP) (for 40 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 83 months)
  • Linode (for 77 months)
  • Babiel GmbH (for 67 months)
  • Plat Home (for 66 months)
  • University of Oxford (for 22 months)
  • Deveryware (for 9 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 89 months)
  • Domeneshop AS (for 88 months)
  • Nantes M tropole (for 82 months)
  • Universit Jean Monnet de St Etienne (for 74 months)
  • Univention GmbH (for 73 months)
  • Ribbon Communications, Inc. (for 67 months)
  • Exonet B.V. (for 57 months)
  • Leibniz Rechenzentrum (for 51 months)
  • CINECA (for 41 months)
  • Minist re de l Europe et des Affaires trang res (for 35 months)
  • Cloudways Ltd (for 24 months)
  • Dinahosting SL (for 22 months)
  • Bauer Xcel Media Deutschland KG (for 16 months)
  • Platform.sh (for 16 months)
  • Moxa Intelligence Co., Ltd. (for 10 months)
  • sipgate GmbH (for 7 months)
  • Tilburg University (for 6 months)
  • OVH US LLC (for 5 months)
• Bronze sponsors:
  • Evolix (for 88 months)
  • Seznam.cz, a.s. (for 88 months)
  • Intevation GmbH (for 85 months)
  • Linuxhotel GmbH (for 85 months)
  • Daevel SARL (for 84 months)
  • Bitfolk LTD (for 83 months)
  • Greenbone Networks GmbH (for 82 months)
  • Megaspace Internet Services GmbH (for 82 months)
  • NUMLOG (for 82 months)
  • WinGo AG (for 81 months)
  • Ecole Centrale de Nantes LHEEA (for 77 months)
  • Entr ouvert (for 72 months)
  • Adfinis AG (for 70 months)
  • GNI MEDIA (for 64 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 64 months)
  • Tesorion (for 64 months)
  • Bearstech (for 56 months)
  • LiHAS (for 56 months)
  • People Doc (for 52 months)
  • Catalyst IT Ltd (for 50 months)
  • Demarcq SAS (for 44 months)
  • Universit Grenoble Alpes (for 30 months)
  • TouchWeb SAS (for 22 months)
  • SPiN AG (for 19 months)
  • CoreFiling (for 15 months)
  • Institut des sciences cognitives Marc Jeannerod (for 9 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 6 months)
  • Tem Innovations GmbH
  • WordFinder.pro

LTS This is my sixth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2742-1 ffmpeg_7:3.2.15-0+deb9u3
   • CVE-2020-22036: A heap-based Buffer Overflow vulnerability in filter_intra at libavfilter/vf_bwdif.c, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22032: A heap-based Buffer Overflow vulnerability in gaussian_blur, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22031: A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22028: Buffer Overflow vulnerability in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service.
   • CVE-2020-22026: Buffer Overflow vulnerability exists in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service.
   • CVE-2020-22025: A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22023: A heap-based Buffer Overflow vulnerabililty exists in filter_frame at libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22022: A heap-based Buffer Overflow vulnerability exists in filter_frame at libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22021: Buffer Overflow vulnerability at filter_edges function in libavfilter/vf_yadif.c, which could let a remote malicious user cause a Denial of Service.
   • CVE-2020-22020: Buffer Overflow vulnerability in the build_diff_map function in libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause a Denial of Service.
   • CVE-2020-22016: A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when writing .mov files, which might lead to memory corruption and other potential consequences.
   • CVE-2020-22015: Buffer Overflow vulnerability in mov_write_video_tag due to the out of bounds in libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial of Service, or execute arbitrary code.
   • CVE-2020-21041: Buffer Overflow vulnerability exists via apng_do_inverse_blend in libavcodec/pngenc.c, which could let a remote malicious user cause a Denial of Service
   • CVE-2021-3566: The tty demuxer did not have a read_probe function assigned to it. By crafting a legitimate ffconcat file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the -vcodec copy option is passed to ffmpeg).
   • CVE-2021-38114: libavcodec/dnxhddec.c does not check the return value of the init_vlc function. Crafted DNxHD data can cause unspecified impact.
2. DLA 2742-2 ffmpeg_7:3.2.15-0+deb9u4 During the backporting of one of patches in CVE-2020-22021 one line was wrongly interpreted and it caused the regression during the deinterlacing process. Thanks to Jari Ruusu for the reporting the issue and for the testing of prepared update.

Other LTS-related work

• Analyzed CVE-2020-22027 and marked as ignored for stretch. Original patch is not appliable. The issue is reproducible though.
• Analyzed CVE-2020-22019 and marked as ignored for stretch.
• Analyzed CVE-2020-22017 and marked as ignored for stretch.
• Updated tomcat8-LTS-salsa-repo to tne newer 8.5.54-0+deb9u7 version.
• Minor WIKI update.
• Frontdesk duties CW33/2021. It was my fist attempt to do such kind of task. I triaged apache2 and gitit.
• Analyzed CVEs in firmware-nonfree.
• Started to work on rustc.

LTS-Meeting

• I attended the Debian LTS team Jitsi-meeting (though the connection was extremely bad).
• Partly participated in preparation of Debconf21 BoF Funding Projects to Improve Debian .

Debian Science Team

• Partly participated in Debconf21 Debian Science BoF.

Other FLOSS activities

• Reviewed many merge requests in Yade open source project, merge some of them.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In July, we put aside 2400 EUR to fund Debian projects. We haven t received proposals of projects to fund in the last months, so we have scheduled a discussion during Debconf to try to to figure out why that is and how we can fix that. Join us on August 26th at 16:00 UTC on this link. We are pleased to announce that Jeremiah Foster will help out to make this initiative a success : he can help Debian members to come up with solid proposals, he can look for people willing to do the work once the project has been formalized and approved, and he will make sure that the project implementation keeps on track when the actual work has begun. We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In July, 12 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 5.0h (out of 7h assigned and 3h remaining), thus carrying over 5h to August.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 12.75h (out of 16h assigned and 2.75h from June), thus carrying over 6h to August.
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did not report back about their work so we assume they did nothing (out of 39.75h assigned plus 11h from June), thus is carrying over 50.75h for August.
• Holger Levsen s work was coordinating/managing the LTS team, he did 3.5h (out of 12h assigned) and gave back 8.5h to the pool.
• Markus Koschany did 30h (out of 30h assigned and 30h from June), thus carrying over 30h to August.
• Ola Lundqvist did nothing (out of 12h assigned plus 20h from June), thus is carrying over 32h for August.
• Roberto C. S nchez did 13.5h (out of 32h assigned and 20h from June), and gave back 38.5h to the pool.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 39.75h (out of 39.75h assigned).

Evolution of the situation In July we released 30 DLAs. Also we were glad to welcome Neil Williams and Lee Garrett who became active contributors. The security tracker currently lists 63 packages with a known CVE and the dla-needed.txt file has 17 packages needing an update. We would like to thank Holger Levsen for the years of work where he managed/coordinated the paid LTS contributors. Jeremiah Foster will take over his duties. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 71 months)
  • GitHub (for 62 months)
  • Civil Infrastructure Platform (CIP) (for 39 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 82 months)
  • Linode (for 76 months)
  • Babiel GmbH (for 65 months)
  • Plat Home (for 65 months)
  • University of Oxford (for 21 months)
  • Deveryware (for 8 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 87 months)
  • Domeneshop AS (for 86 months)
  • Nantes M tropole (for 80 months)
  • Univention GmbH (for 72 months)
  • Universit Jean Monnet de St Etienne (for 72 months)
  • Ribbon Communications, Inc. (for 66 months)
  • Exonet B.V. (for 56 months)
  • Leibniz Rechenzentrum (for 50 months)
  • CINECA (for 39 months)
  • Minist re de l Europe et des Affaires trang res (for 33 months)
  • Cloudways Ltd (for 23 months)
  • Dinahosting SL (for 21 months)
  • Bauer Xcel Media Deutschland KG (for 15 months)
  • Platform.sh (for 15 months)
  • Moxa Intelligence Co., Ltd. (for 9 months)
  • sipgate GmbH (for 6 months)
  • OVH US LLC (for 4 months)
  • Tilburg University (for 4 months)
• Bronze sponsors:
  • Evolix (for 87 months)
  • Seznam.cz, a.s. (for 87 months)
  • Intevation GmbH (for 84 months)
  • Linuxhotel GmbH (for 84 months)
  • Daevel SARL (for 82 months)
  • Bitfolk LTD (for 81 months)
  • Megaspace Internet Services GmbH (for 81 months)
  • Greenbone Networks GmbH (for 80 months)
  • NUMLOG (for 80 months)
  • WinGo AG (for 80 months)
  • Ecole Centrale de Nantes LHEEA (for 76 months)
  • Entr ouvert (for 71 months)
  • Adfinis AG (for 68 months)
  • GNI MEDIA (for 63 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 63 months)
  • Tesorion (for 63 months)
  • Bearstech (for 54 months)
  • LiHAS (for 54 months)
  • People Doc (for 51 months)
  • Catalyst IT Ltd (for 49 months)
  • Demarcq SAS (for 43 months)
  • Universit Grenoble Alpes (for 29 months)
  • TouchWeb SAS (for 21 months)
  • SPiN AG (for 18 months)
  • CoreFiling (for 13 months)
  • Institut des sciences cognitives Marc Jeannerod (for 8 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 5 months)

LTS This is my fifth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2705-1 scilab_5.5.2-4+deb9u1
   • CVE-2021-31598: Out-of-bounds write in ezxml_decode() leading to heap corruption
   • CVE-2021-31347, CVE-2021-31348: incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read
   • CVE-2021-31229: Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write of a one byte constant
   • CVE-2021-30485: incorrect memory handling, leading to a NULL pointer dereference in ezxml_internal_dtd()
   With this upload not all opened CVEs were closed in this package. Because some of CVEs were not fixed yet by upstream. Added links to upstream bug reports for the following CVEs: CVE-2021-31598 CVE-2021-31348 CVE-2021-31347 CVE-2021-31229 CVE-2021-30485 CVE-2021-26222 CVE-2021-26221 CVE-2021-26220 CVE-2019-20202 CVE-2019-20201 CVE-2019-20200 CVE-2019-20199 CVE-2019-20198 CVE-2019-20007 CVE-2019-20006 CVE-2019-20005 into the data/CVE/list on securoty tracker.
2. DLA 2707-1 sogo_3.2.6-2+deb9u1
   • CVE-2021-33054: SOGo does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method.

Other LTS-related work

• Many hours were spent, working on ffmpeg, where currently 18 CVEs are opened. Some of them are fixed in git.The work is ongoing.
• Analyzed CVE-2020-22035 and marked as not-affected for stretch.
• Analyzed CVE-2020-22034 and marked as not-affected for stretch.
• Analyzed CVE-2020-22033 and marked as not-affected for stretch.
• Analyzed CVE-2020-22030 and marked as not-affected for stretch.
• Analyzed CVE-2020-22029 and marked as not-affected for stretch.

LTS-Meeting I attended the Debian LTS team IRC-meeting this month.

Other FLOSS activities

1. One week before the full freeze of Debian Bullseye the release-critical bug #990895 against the package httraqt was filed. Thanks to the reporter I could fix it within the hour after the ticket was created, uploaded as the version httraqt_1.4.9-5, filed an unblock-request, which was approved.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In June, we put aside 5775 EUR to fund Debian projects for which we re looking forward to receive more projects from various
Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In June, 12 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 18.0h (out of 14h assigned and 19h from May), thus carrying over 15h to July.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 13.25h (out of 14h assigned and 2h from May), thus carrying over 2.75h to July.
• Chris Lamb did 18h (out of 18h assigned).
• Emilio Pozuelo Monfort did 29h (out of 40h assigned), thus carrying over 11h to July.
• Holger Levsen s work was coordinating/managing the LTS team, he did 3.5h (out of 12h assigned) and gave back 8.5h to the pool.
• Markus Koschany did 29.75h (out of 30h assigned plus 29.75h from May), thus carrying over 30h for July.
• Ola Lundqvist did 10h (out of 12h assigned and 4.5h from May), thus carrying over 6.5h to July.
• Roberto C. S nchez did 12h (out of 32h assigned), thus carrying over 20h to July.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did not report back about their work so we assume they did nothing (out of 40h assigned), thus is carrying over 40h for July.

Evolution of the situation In June we released 30 DLAs. As already written last month we are looking for a Debian LTS project manager and team coordinator.
Finally, we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested! The security tracker currently lists 41 packages with a known CVE and the dla-needed.txt file has 23 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 70 months)
  • GitHub (for 60 months)
  • Civil Infrastructure Platform (CIP) (for 38 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 81 months)
  • Linode (for 75 months)
  • Babiel GmbH (for 64 months)
  • Plat Home (for 63 months)
  • University of Oxford (for 20 months)
  • Deveryware (for 7 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 86 months)
  • Domeneshop AS (for 85 months)
  • Nantes M tropole (for 79 months)
  • Univention GmbH (for 71 months)
  • Universit Jean Monnet de St Etienne (for 71 months)
  • Ribbon Communications, Inc. (for 65 months)
  • Exonet B.V. (for 54 months)
  • Leibniz Rechenzentrum (for 48 months)
  • CINECA (for 38 months)
  • Minist re de l Europe et des Affaires trang res (for 32 months)
  • Cloudways Ltd (for 21 months)
  • Dinahosting SL (for 19 months)
  • Platform.sh (for 14 months)
  • Bauer Xcel Media Deutschland KG (for 13 months)
  • Moxa Intelligence Co., Ltd. (for 7 months)
  • sipgate GmbH (for 5 months)
  • OVH US LLC (for 3 months)
  • Tilburg University (for 3 months)
• Bronze sponsors:
  • Seznam.cz, a.s. (for 86 months)
  • Evolix (for 85 months)
  • Linuxhotel GmbH (for 83 months)
  • Intevation GmbH (for 82 months)
  • Daevel SARL (for 81 months)
  • Bitfolk LTD (for 80 months)
  • Megaspace Internet Services GmbH (for 80 months)
  • Greenbone Networks GmbH (for 79 months)
  • NUMLOG (for 79 months)
  • WinGo AG (for 78 months)
  • Ecole Centrale de Nantes LHEEA (for 75 months)
  • Entr ouvert (for 70 months)
  • Adfinis AG (for 67 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 62 months)
  • Tesorion (for 62 months)
  • GNI MEDIA (for 61 months)
  • Bearstech (for 53 months)
  • LiHAS (for 53 months)
  • People Doc (for 49 months)
  • Catalyst IT Ltd (for 47 months)
  • Demarcq SAS (for 41 months)
  • Universit Grenoble Alpes (for 28 months)
  • TouchWeb SAS (for 20 months)
  • SPiN AG (for 16 months)
  • CoreFiling (for 12 months)
  • Institut des sciences cognitives Marc Jeannerod (for 7 months)
  • Observatoire des Sciences de l Univers de Grenoble (for 3 months)

LTS This is my fourth month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2672-1 imagemagick_6.9.7.4+dfsg-11+deb9u13
   • CVE-2020-27751 A flaw was found in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long long as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.
   • CVE-2021-20243 A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero.
   • CVE-2021-20245 A flaw was found in coders/webp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero.
   • CVE-2021-20309 A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick.
   • CVE-2021-20312 An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick.
   • CVE-2021-20313 A potential cipher leak when the calculate signatures in TransformSignature is possible.
2. DLA 2677-1 libwebp_0.5.2-1+deb9u1
   • CVE-2018-25009 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25010 An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25011 A heap-based buffer overflow was found in PutLE16(). The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2018-25012 An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25013 An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2018-25014 An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36328 A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36329 A use-after-free was found due to a thread being killed too early. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
   • CVE-2020-36330 An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   • CVE-2020-36331 An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.
   CVE-2020-36332 was marked as ignored for stretch due to too disruptive patch for older versions of libwebp.
3. DLA-2687-1 prosody_0.9.12-2+deb9u3
   • CVE-2021-32917 The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server s bandwidth.
   • CVE-2021-32921 Authentication module does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker.
4. DLA-2687-2 prosody_0.9.12-2+deb9u4 Upload prosody_0.9.12-2+deb9u3 introduced a regression in the mod_auth_internal_hashed module. Big thanks to Andre Bianchi for the reporting an issue and for testing the update. CVE-2021-32918, CVE-2021-32920, were marked as ignored for stretch: the affected code is not existing in that version of prosody.

LTS-Meeting I attended the Debian LTS team Jitsi-meeting.

Debian Science Team

openpiv-python I started to package python-openpiv. The software implements PIV (Particle Image Velocimetry) method to compare two images and obtain velocity field.

Other FLOSS activities

Admesh Admesh is the first package which I adopted over 10 years ago! Upstream is not active for a very long time, so I created a github-repo back in 2013. The software helps to manipulate STL-files. STL is the file format for meshes, mostly developed for CAD programs. This month I decided to clean the build system. It was switched to cmake. CI was updated, now it compiles the sources under Linux/Windows environment, runs tests, AddressSanitizer and UndefinedBehaviourSanitizer were employed. Work is ongoing.

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In May, we again put aside 2100 EUR to fund Debian projects. There was no proposals for new projects received, thus we re looking forward to receive more projects from various Debian teams! Please do not hesitate to submit a proposal, if there is a project that could benefit from the funding! We re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article. Debian LTS contributors In May, 12 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 7.0h (out of 14h assigned and 12h from April), thus carrying over 19h to June.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 16h (out of 13.5h assigned plus 4.5h from April), thus is carrying over 2h for June.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen s work was coordinating/managing the LTS team, he did 5.5h and gave back 6.5h to the pool.
• Markus Koschany did 15h (out of 29.75h assigned and 15h from April), thus carrying over 29.75h to June.
• Ola Lundqvist did 12h (out of 12h assigned and 4.5h from April), thus carrying over 4.5h to June.
• Roberto C. S nchez did 7.5h (out of 27.5h assigned and 27h from April), and gave back 47h to the pool.
• Sylvain Beucler did 29.75h (out of 29.75h assigned).
• Thorsten Alteholz did 29.75h (out of 29.75h assigned).
• Utkarsh Gupta did 29.75h (out of 29.75h assigned).

Evolution of the situation In May we released 33 DLAs and mostly skipped our public IRC meeting and the end of the month. In June we ll have another team meeting using video as lined out on our LTS meeting page.
Also, two months ago we announced that Holger would step back from his coordinator role and today we are announcing that he is back for the time being, until a new coordinator is found.
Finally, we would like to remark once again that we are constantly looking for new contributors. Please contact Holger if you are interested! The security tracker currently lists 41 packages with a known CVE and the dla-needed.txt file has 21 packages needing an update. Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 69 months)
  • GitHub (for 59 months)
  • Civil Infrastructure Platform (CIP) (for 37 months)
• Gold sponsors:
  • Blablacar (for 84 months)
  • Roche Diagnostics International AG (for 80 months)
  • Linode (for 74 months)
  • Babiel GmbH (for 63 months)
  • Plat Home (for 62 months)
  • University of Oxford (for 19 months)
  • Deveryware (for 6 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 85 months)
  • Domeneshop AS (for 84 months)
  • Nantes M tropole (for 78 months)
  • Univention GmbH (for 70 months)
  • Universit Jean Monnet de St Etienne (for 70 months)
  • Ribbon Communications, Inc. (for 64 months)
  • Exonet B.V. (for 53 months)
  • Leibniz Rechenzentrum (for 47 months)
  • CINECA (for 37 months)
  • Minist re de l Europe et des Affaires trang res (for 31 months)
  • Cloudways Ltd (for 20 months)
  • Dinahosting SL (for 18 months)
  • Platform.sh (for 13 months)
  • Bauer Xcel Media Deutschland KG (for 12 months)
  • Moxa Intelligence Co., Ltd. (for 6 months)
  • sipgate GmbH (for 4 months)
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Seznam.cz, a.s. (for 85 months)
  • Evolix (for 84 months)
  • Linuxhotel GmbH (for 82 months)
  • Intevation GmbH (for 81 months)
  • Daevel SARL (for 80 months)
  • Bitfolk LTD (for 79 months)
  • Megaspace Internet Services GmbH (for 79 months)
  • Greenbone Networks GmbH (for 78 months)
  • NUMLOG (for 78 months)
  • WinGo AG (for 77 months)
  • Ecole Centrale de Nantes LHEEA (for 73 months)
  • Entr ouvert (for 69 months)
  • Adfinis AG (for 66 months)
  • Tesorion (for 61 months)
  • GNI MEDIA (for 60 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 60 months)
  • Bearstech (for 52 months)
  • LiHAS (for 52 months)
  • People Doc (for 48 months)
  • Catalyst IT Ltd (for 46 months)
  • Demarcq SAS (for 40 months)
  • Universit Grenoble Alpes (for 26 months)
  • TouchWeb SAS (for 18 months)
  • SPiN AG (for 15 months)
  • CoreFiling (for 11 months)
  • Institut des sciences cognitives Marc Jeannerod (for 6 months)
  • Observatoire des Sciences de l Univers de Grenoble

LTS This is my third month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA-2646-1 subversion_1.9.5-1+deb9u6
   • CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion mod_authz_svn
2. DLA-2649-1 cgal_4.9-1+deb9u1
   • CVE-2020-28601: An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-28636: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-35628: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability.
   • CVE-2020-35636: An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability.
3. DLA-2660-1 libgetdata_0.9.4-1+deb9u1
   • CVE-2021-20204: A heap memory corruption problem (use after free) can be triggered when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.

Other LTS-related work

bind9 LTS-repo on salsa for testing Created a repo for bind9 to test the package in he salsa-pipeline. Package testing was asked in the mailing list. After that I have added autopkgtests, which were copied from the main salsa-repo and updated to stretch release.

libwebp and imagemagick Two packages with a high number of CVEs were in my focus this month. The work is not yet finished and DLAs will be released soon.

Debian Science Team I have prepared and uploaded following packages, which are maintained under the umbrella of Debian Science Team:

• gfsview_20121130+dfsg-7, fixed RC-Bug #987935 and created ci-pipeline for the package (team upload). And requested the package unblock #988112.
• Reviewed and sponsored linbox_1.6.3-3 (RC-Bug #987921)
• Prepared and uploaded libgetdata_0.10.0-5+deb10u1, fixing CVE-2021-20204 in buster (through proposed-updates)
• Reviewed and sponsored freefem++_3.61.1+dfsg1-6 (RC-Bug #957233)
• Prepared and uploaded sundials_4.1.0+dfsg-4 (RC-Bug #988551)

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In April, we put aside 5775 EUR to fund Debian projects. There was no proposals for new projects received, thus we re looking forward to receive more projects from various Debian teams! Please do not hesitate to submit a proposal, if there is a project that could benefit from the funding! Debian LTS contributors In April, 11 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 14.0h (out of 14h assigned and 12h from March), thus carrying over 12h to May.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 14h (out of 16h assigned and 2.5h from March), thus carrying over 4.5h to May.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen s work was coordinating/managing the LTS team, he did 10h (out of 12h assigned), and gave 2h back to the pool.
• Markus Koschany did 15.0h (out of 30h assigned), thus carrying over 15h to May.
• Ola Lundqvist did 7.5h (out of 12h assigned), thus carrying over 4.5h to May.
• Roberto C. S nchez did 9.5h (out of 32h assigned and 4.5h from March), thus carrying over 27h to May.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 60h (out of 60h assigned).

Evolution of the situation In April we released 33 DLAs and held a LTS team meeting using video conferencing. The security tracker currently lists 53 packages with a known CVE and the dla-needed.txt file has 26 packages needing an update. We are please to welcome VyOS as a new gold sponsor! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 68 months)
  • GitHub (for 59 months)
  • Civil Infrastructure Platform (CIP) (for 36 months)
• Gold sponsors:
  • Blablacar (for 83 months)
  • Roche Diagnostics International AG (for 79 months)
  • Linode (for 73 months)
  • Babiel GmbH (for 62 months)
  • Plat Home (for 62 months)
  • University of Oxford (for 18 months)
  • Deveryware (for 5 months)
  • VyOS
• Silver sponsors:
  • The Positive Internet Company (for 84 months)
  • Domeneshop AS (for 83 months)
  • Nantes M tropole (for 77 months)
  • Univention GmbH (for 69 months)
  • Universit Jean Monnet de St Etienne (for 69 months)
  • Ribbon Communications, Inc. (for 63 months)
  • Exonet B.V. (for 53 months)
  • Leibniz Rechenzentrum (for 47 months)
  • CINECA (for 36 months)
  • Minist re de l Europe et des Affaires trang res (for 30 months)
  • Cloudways Ltd (for 20 months)
  • Dinahosting SL (for 18 months)
  • Bauer Xcel Media Deutschland KG (for 12 months)
  • Platform.sh (for 12 months)
  • Moxa Intelligence Co., Ltd. (for 6 months)
  • sipgate GmbH (for 3 months)
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Evolix (for 84 months)
  • Seznam.cz, a.s. (for 84 months)
  • Intevation GmbH (for 81 months)
  • Linuxhotel GmbH (for 81 months)
  • Daevel SARL (for 79 months)
  • Bitfolk LTD (for 78 months)
  • Megaspace Internet Services GmbH (for 78 months)
  • Greenbone Networks GmbH (for 77 months)
  • NUMLOG (for 77 months)
  • WinGo AG (for 77 months)
  • Ecole Centrale de Nantes LHEEA (for 73 months)
  • Entr ouvert (for 68 months)
  • Adfinis AG (for 65 months)
  • GNI MEDIA (for 60 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 60 months)
  • Tesorion (for 60 months)
  • Bearstech (for 51 months)
  • LiHAS (for 51 months)
  • People Doc (for 48 months)
  • Catalyst IT Ltd (for 46 months)
  • Supagro (for 41 months)
  • Demarcq SAS (for 40 months)
  • Universit Grenoble Alpes (for 26 months)
  • TouchWeb SAS (for 18 months)
  • SPiN AG (for 15 months)
  • CoreFiling (for 10 months)
  • Institut des sciences cognitives Marc Jeannerod (for 5 months)
  • Observatoire des Sciences de l Univers de Grenoble

Like each month, have a look at the work funded by Freexian s Debian LTS offering. Debian project funding In March, we put aside 3225 EUR to fund Debian projects but sadly nobody picked up anything, so this one of the many reasons Raphael posted as series of blog posts titled Challenging times for Freexian , posted in 4 parts on the last two days of March and the first two of April. [Part one, two, three and four] So we re still looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article! Debian LTS contributors In March, 11 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 9.0h (out of 9h assigned and 12h from February), thus carrying over 12h to April.
• Anton Gladky did 12h (out of 12h assigned).
• Ben Hutchings did 25.75h (out of 16h assigned and 12.25h from February), thus carrying over 2.5h to April.
• Chris Lamb did 18h (out of 18h assigned).
• Holger Levsen did 6h coordinating/managing the LTS team.
• Markus Koschany did 30h (out of 30h assigned).
• Ola Lundqvist did 6.h (out of 10h from February).
• Roberto C. S nchez did 9h (out of 32h assigned and 21.5h from February) and gave 40h back, thus carrying over 4.5h to April.
• Sylvain Beucler did 30h (out of 30h assigned).
• Thorsten Alteholz did 30h (out of 30h assigned).
• Utkarsh Gupta did 60h (out of 60h assigned).

Evolution of the situation In March we released 28 DLAs and held our second LTS team meeting for 2021 on IRC, with the next public IRC meeting coming up at the end of May. At that meeting Holger announced that after 2.5 years he wanted to step back from his role helping Rapha l in coordinating/managing the LTS team. We would like to thank Holger for his continuous work on Debian LTS (which goes back to 2014) and are happy to report that we already found a successor which we will introduce in the upcoming April report from Freexian. Finally, we would like to remark once again that we are constantly looking for new contributors. For a last time, please contact Holger if you are interested! The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 28 packages needing an update. We are also pleased to report that we got 4 new sponsors over the last 2 months : thanks to sipgate GmbH, OVH US LLC, Tilburg University and Observatoire des Sciences de l Univers de Grenoble ! Thanks to our sponsors Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 67 months)
  • GitHub (for 58 months)
  • Civil Infrastructure Platform (CIP) (for 35 months)
• Gold sponsors:
  • Blablacar (for 82 months)
  • Roche Diagnostics International AG (for 78 months)
  • Linode (for 72 months)
  • Babiel GmbH (for 61 months)
  • Plat Home (for 61 months)
  • University of Oxford (for 17 months)
  • Deveryware (for 4 months)
• Silver sponsors:
  • The Positive Internet Company (for 83 months)
  • Domeneshop AS (for 82 months)
  • Nantes M tropole (for 77 months)
  • Univention GmbH (for 68 months)
  • Universit Jean Monnet de St Etienne (for 68 months)
  • Ribbon Communications, Inc. (for 62 months)
  • Exonet B.V. (for 52 months)
  • Leibniz Rechenzentrum (for 46 months)
  • CINECA (for 35 months)
  • Minist re de l Europe et des Affaires trang res (for 30 months)
  • Cloudways Ltd (for 19 months)
  • Dinahosting SL (for 17 months)
  • Bauer Xcel Media Deutschland KG (for 11 months)
  • Platform.sh (for 11 months)
  • Moxa Intelligence Co., Ltd. (for 5 months)
  • sipgate GmbH
  • OVH US LLC
  • Tilburg University
• Bronze sponsors:
  • Evolix (for 83 months)
  • Seznam.cz, a.s. (for 83 months)
  • Intevation GmbH (for 80 months)
  • Linuxhotel GmbH (for 80 months)
  • Daevel SARL (for 78 months)
  • Bitfolk LTD (for 77 months)
  • Megaspace Internet Services GmbH (for 77 months)
  • NUMLOG (for 77 months)
  • Greenbone Networks GmbH (for 76 months)
  • WinGo AG (for 76 months)
  • Ecole Centrale de Nantes LHEEA (for 72 months)
  • Entr ouvert (for 67 months)
  • Adfinis AG (for 65 months)
  • GNI MEDIA (for 59 months)
  • Laboratoire LEGI UMR 5519 / CNRS (for 59 months)
  • Tesorion (for 59 months)
  • Bearstech (for 50 months)
  • LiHAS (for 50 months)
  • People Doc (for 47 months)
  • Catalyst IT Ltd (for 45 months)
  • Supagro (for 40 months)
  • Demarcq SAS (for 39 months)
  • Universit Grenoble Alpes (for 25 months)
  • TouchWeb SAS (for 17 months)
  • SPiN AG (for 14 months)
  • CoreFiling (for 9 months)
  • Institut des sciences cognitives Marc Jeannerod (for 4 months)
  • Observatoire des Sciences de l Univers de Grenoble

LTS This is my second month of working for LTS. I was assigned 12 hrs and worked all of them.

Released DLAs

1. DLA 2619-1 python3.5_3.5.3-1+deb9u4
   • CVE-2021-23336: only use & as a query string separator
   • CVE-2021-3426: remove the pydoc getfile feature
   • CVE-2021-3177: replace snprintf with Python unicode
   CVE-2021-23336 introduced an API-change. It was hard decision to upload this fix, because it can potentially break user s code, if they code uses semicolon as separator. Another option is not to fix it at all, leaving the security issue open. Not the best solution. Also I have fixed the failing autopkgtest, which was introduced in one of latest CVE fixes. CI-pipelines on salsa.d.o are helping now to detect such mistakes.
2. DLA 2628-1 python2.7_2.7.13-2+deb9u5
   • CVE-2021-23336: only use & as a query string separator
   • CVE-2019-16935: Escape the server title of DocXMLRPCServer.
   CVE-2021-23336 introduced an API-change, same as for python3.5. But the backporting was much harder because python3->2 is not always easy.

Other LTS-related work

CI-pipelines I try to setup for all LTS-packages which I touch CI-pipelines on salsa.d.o. Setting up pipelines for python3.5 and python2.7 was much harder as for other packages. Failing autopkgtests and some other issues. Though it takes at the beginning more time to setup, I believe it improves package quality.

LTS-Meeting I attended the Debian LTS team Jitsi-meeting.