Debian LTS August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport. Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs. Other Debian stuff

• I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
• The usual bunch of libvirt related uploads

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

• The ansible-module-foreman ansible module allows you to setup all kinds of resources like images, compute resources, hostgroups, subnets, domains within Foreman itself via ansible using Foreman's REST API. E.g. creating a hostgroup looks like:

  - foreman_hostgroup:
      name: AHostGroup
      architecture: x86_64
      domain: a.domain.example.com
      foreman_host: "  foreman_host  "
      foreman_user: "  foreman_user  "
      foreman_pass: "  foreman_pw  "
  

• The foreman_ansible plugin for Foreman allows you to collect reports and facts from ansible provisioned hosts. This requires an additional hook in your ansible config like:

  [defaults]
  callback_plugins = path/to/foreman_ansible/extras/
  

  The hook will report to Foreman back after a playbook finished.
• There are several options for creating hosts in Foreman via the ansible API. I'm currently using ansible_foreman_module tailored for image based installs. This looks in a playbook like:

  - name: Build 10 hosts
    foremanhost:
      name: "  item  "
      hostgroup: "a/host/group"
      compute_resource: "hopefully_not_esx"
      subnet: "webservernet"
      environment: "  env default(omit)  "
      ipv4addr:   from_ipam default(omit)  "
      # Additional params to tag on the host
      params:
          app: varnish
          tier: web
          color: green
      api_user: "  foreman_user  "
      api_password: "  foreman_pw  "
      api_url: "  foreman_url  "
    with_sequence:  start=1 end=10 format="newhost%02d"
  

• The foreman_ansible_inventory is a dynamic inventory script for ansible that fetches all your hosts and groups via the Foreman REST APIs. It automatically groups hosts in ansible from Foreman's hostgroups, environments, organizations and locations and allows you to build additional groups based on any available host parameter (and combinations thereof). So using the above example and this configuration:

  [ansible]
  group_patterns = [" app - tier ",
                    " color "]
  

  it would build the additional ansible groups varnish-web, green and put the above hosts into them. This way you can easily select the hosts for e.g. blue green deployments. You don't have to pass the parameters during host creation, if you have parameters on e.g. domains or hostgroups these are available too for grouping via group_patterns.
• If you're grouping your hosts via the above inventory script and you use lots of parameters than having these displayed in the detail page can be useful. You can use the foreman_params_tab plugin for that.

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Debian LTS July marked the fifteenth month I contributed to Debian LTS under the Freexian umbrella. As usual I spent the 8 hours working on these LTS things:

• Updated QEMU and QEMU-KVM packages to fix CVE-2016-5403, CVE-2016-4439, CVE-2016-4020, CVE-2016-2857 and CVE-2015-5239 resulting in DLA-573-1 and DLA-574-1
• Updated icedove to 45.2.0 fixing CVE-2016-2818 resulting in DLA-574-1
• Reviewed and uploaded xen 4.1.6.lts1-1. The update itself was prepared by Bastian Blank.
• The little bit of remaining time I spent on further work the ruby-active model,record -3.2 and ruby-actionpack-3.2 (aka rails) CVEs. Although I have fixes for most of the CVEs already there are still some left where I'm not yet clear if the packages are affected.
• Added some trivial autopkgtest for qemu-img (#832982) (on non LTS time)

Other Debian stuff

• Fixed CVE-2016-5008 by uploading libvirt 2.0.0 to sid and 1.2.9-9+deb8u3 to stable-p-u
• Uploaded libvirt 2.1.0~rc1 to experimental
• Uploaded libvirt-python 2.0.0 to sid
• Uploaded libosinfo 0.3.1 to sid preparing for the upcoming upstream package split
• Uploaded virt-manager 1.4.0 to sid
• Uploaded network-manager-iodine 1.2.0 to sid
• Uploaded cups-pk-helper 0.2.6 to sid
• Triaged apparmor related bugs in libvirt most notably the one affecting hotplugging of disks (#805002) which turned out to be rooted in the kernel not reloading profiles properly.
• Uploaded git-buildpackage 0.8.0, 0.8.1 to experimental adding additional tarball support to gbp import-orig among other things

Debian LTS June marked the fourteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 8 hours working on these LTS things:

• Reviewed and tested libxml2 2.8.0+dfsg1-7+wheezy6
• Fixed #825508 in mozilla-devscripts to prepare for the Icedove update resulting in DLA-518-1.
• Rebased the proposed Wheezy Icedove update against the Jessie version and uploaded resulting in DLA-519-1.
• Sent out the DLA-521-1 for Iceweasel, the upload was all done by Mike Hommey.
• Rebuilt enigmail with the fixed mozilla-devscripts so it can still be used in Wheezy, resulting in DLA-523-1.
• continue to work on updates for CVE-2016-0753 for ruby-active record,support -3.2 - not yet finished.
• Looked into open qemu-kvm and qemu CVEs marking CVE-2015-8666 as no-dsa and fixing CVE-2016-3710 and CVE-2016-3712 via DLA-540-1 and DLA-539-1.

Other Debian stuff Besides the usual bunch of libvirt* uploads I addressed several bugs in git-buildpackage, upload pending.

Debian LTS May marked the thirteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 17.25 hours working on these LTS things:

• Fixed CVE-2014-7210 in pdns resulting in DLA-492-1
• Fixed the build failure of Icedove on armhf resulting in DLA 472-2
• Forward ported our nss, nspr enhancements to to the current versions in testing to continue the discussion on the same nss and nspr versions in all suites including some ABI compliance research (thanks abi-compliance-tester!), resulting in 824872.
• Backported Icedve 45 and Enigmail to wheezy to check if we can continue to support it - we can with a minor tweaks. Upload will happen in June.
• While at that added some autpkgtests for Icedove 45 resulting in 809723 (already applied).
• Released DLA-498-1 for ruby-active-model-3.2 to address CVE-2016-0753.
• Reviewed the Updates of ruby-active-record-3.2 for CVE-2015-7577 and eglibc.

Other Debian stuff

• Uploaded libvirt 1.3.4 to sid, 1.3.5~rc1 to experimental
• Uploaded libosinfo 0.3.0 to sid
• Uploaded git-buildpackage 0.7.4 to sid including experimental multiple tarball support for gbp buildpackage

Debian LTS April marked the twelfth month I contributed to Debian LTS under the Freexian umbrella. I only spent 2 hours (instead of expected 11,25) working on LTS things:

• Uploaded gtk+3.0 to wheezy-proposed-updates to fix CVE-2013-7447 (#818090).
• Further work on figuring out how to support Xen and QEMU in Wheezy LTS including writing up a summary and a interview with one prospective company
• Prepared a patch for Jessie's nss to fix CVE-2016-1950, CVE-2016-1979, CVE-2016-1978, CVE-2016-1938 based on Antiones work for Wheezy. This is currently pending review by the security team.
• Started to look into CVE-2014-7210 in pdns

The missing hours will be caught up during May - hopefully also by working on a QEMU/libvirt update in Wheezy should there be any interest - so I've you're relying on QEMU/KVM in wheezy now would be a good time to comment on it. Other Debian things

• Attended the 9th Debian Groupware Meeting in the LinuxHotel in Essen resulting in a new upload of calypso to unstable.
• Uploded libvirt and python-libvirt 1.3.3, virt-sandbox 0.5.1+git20151113-3 and virt-manager 1.3.2-3 to unstable and libvirt 1.3.4~rc1 to experimental

Debian LTS March was the eleventh month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours (of allocated 11.00 + 5.25h from last month) working on preparing for wheezy-lts:

• Uploaded aptdaemon to old-, stable-proposed-updates (#818006, #818007)
• Fix CVE-2012-6700, CVE-2012-6769 CVE-2012-6768, in Wheezy's dhcpcd resulting in DSA-3534
• Reach out to Debian's Xen and KVM maintainers, Xen's community manager and several company to asses LTS maintainability
• Research and propose a possible way forward for QEMU and libvirt
• Upload a backport of libvirt to wheezy-backports for that
• Prepare a fix for Wheezy's gtk+3.0 for CVE-2013-7447 (#818090) and propose it for oldstable-p-u (#819362)
• Looked into Wheezy's lxc and CVE-2015-1335 specifically and marking it as no-dsa after discussion with the security-team.
• Make bin/support-ended.py support EOL dates
• Review Antiones nss work for Wheezy and work on the corresponding update for Jessie in order (to be finished this month).

Other Debian things

• Uploaded several libvirt related packages like ruby-libvirt 0.6.0, libvirt-glib 0.2.3 and libvirt-sandbox 0.5.1+git20151113, libvirt 1.3.3~rc1
• Uploaded git-buildpackage 0.7.3
• Preparations for the 9th Debian Groupware Meeting

More sandboxing When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor

or

npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below: So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \
   /bin/bash

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection. And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  --env="XAUTHORITY=$XAUTHORITY" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet. Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix: on the phone When you have the calendar sync already running it's as simple as: First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database = https://carddav.example.com/contacts/username
EOF

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this. on the laptop In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed
cat ~/.config/pycard/pycard.conf
[Account username]
user: username
resource: https://carddav.example.com/
write_support = YesPleaseIDoHaveABackupOfMyData
[query]
where: vcard
[sqlite]
[default]
debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"
EOF

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager. Calypso Changes We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Debian LTS February was the tenth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 7 hours (of allocated 11.15 hours) working on squeeze-lts:

• Triage of 17 CVEs for squeeze-lts. I misread the calendar and thought I was on front-desk duty for a couple of days. Fortunately no duplicate work was done.
• Prepared and released DLA-427-1 for nss fixing CVE-2016-1938 after checking that nss is not affected by CVE-2015-7575 since MD5 signatures never got disabled - another good reason why we should have the same nss in all suites.

and to make sure we have fewer issues that are fixed in squeeze-lts but affect wheezy

• I prepared patches for CVE-2015-8036 and CVE-2015-5291 for polarssl for jessie including some autpkgtests (wheezy already happened in January) resulting in DSA-3468-1.
• Prepared patches for CVE-2015-1323 affecting apt-daemon (789162) for jessie and wheezy waiting for a review.

On non LTS time I cooked up a script to make it simpler to check if a package has security support in a certain release. Now that squeeze-lts is history I'd like to thank the Debian Security Team for their help and answers to all the questions related to security tracker, DSAs, DLAs and whatnot. I'm looking forward to wheezy-lts now Other Debian stuff

• Uploaded libvirt-python 1.3.1 to unstable.
• Uploaded virt-manager 1.3.2 to experimental.
• Uploaded libvirt 1.3.2-2 to unstable dropping the libvirt-bin transitional package after NMUing gnome-boxes and virt-goodies to remove the dependency.
• Uploaded whatmaps to experimental switching to Python3

Debian LTS January was the ninth month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours working on:

• LTS Frontdesk duties like the triaging of 34 CVEs. That was about twice as much CVEs coming as during December's frontdesk work.
• I looked into what needs to be done DLA wise when we move from Squeeze to Wheezy. For that I added a script do find discrepancies between Squeeze LTS and Wheezy.
• I uploaded giflib to squeeze-lts(DLA-389-1), wheezy(#812363) and jessie(#812362) proposed updates.
• I forward ported the fix for CVE-2015-5291 for polarssl to Wheezy adding autopkgtests on the way (#812420) (forward port to Jessie happend in February)
• I forward ported a patch for freetype fixing CVE-2014-9674 to wheezy(DSA-3461-1) - Jessie being not affected.
• Finally I added some basic autopkgtests to icu (#813338).

There was no progress on using the same nss in all suites. This will continue in February as does the Squeeze-lts Wheezy forward porting. Other Debian stuff

• I uploaded libvirt 1.3.1~rc1 and 1.3.1~rc2 to experimental and 1.3.1 final to unstable.
• Released git-buildpackage 0.7.2

Debian LTS December was the eighth month I contributed to Debian LTS under the Freexian umbrella. It was a bit of a funny month since most of the time most open CVEs were already taken care of by other team members (which is nice) but it resulted in me not releasing a single DLA which feels weird. Nevertheless in total I spent nine hours working on:

• LTS Frontdesk duties like the triaging of 16 CVEs and patch reviews (which actually found an error reassuring me that spending time on this is useful).
• Finding a fix for CVE-2015-7555 in giflib. I did not release a DLA yet since I hoped upstream would comment if this is the proper fix.
• nss/nspr:
  • Discussion on using the same nss in all suites continued.
  • I did further upgrade test for nss focusing on Java this time (which is a heavy user of nss for its certificate handling).
  • Enabled the internal testsuite of nspr as well since nss and nspr often get updated in lockstep. This resulted in 809723 and upstream bugs 1236333, 1236334, 1236244 (which were already merged thanks to Wan-Teh Chang). The current modifications are available here. Overall the test suite needs more cleanups but it's already useful as is.

On unpaid time I introduced some usertags for tracking our non DLA related activities (although it seems I'm currently the only user). Other Debian stuff

• I uploaded libvirt 1.3.0~rc1 and 1.3.0~rc2 to experimental and 1.3.0 final to unstable.
• I uploaded libvirt-python 1.3.0 with newly added autopkg tests
• Filed bugs reminding that libvirt-bin is a transitional package that will be dropped soon.
• Finally released gbp 0.7.1 with lots of changes most of these where already mentioned in the December installment of this post but there's more:
  • git-pbuilder updates to 1.37 and 1.38
  • fixes for 791759 and 766350,
  • doc updates including the addition of the patch queue handling
  Still looking for time to finish gbp import-orig's rollback support.
• I added a function to link to the Debian BTS to my emacs config to ease writing these kind of posts.

I'm often using jenkins-job-builder to automatically create jenkins jobs since writing them in YAML is more comfortable then doing large amounts of jobs in the GUI, it serves consistency and helps automation. For views and build pipelines I so far resorted to other tools (like templates in the config management tool at use) but now there's jenkins-job-builder-addons by jimbydamonk. Creating a delivery pipeline view and the "All" view then gets as simple as:

- job:
    name: MyApp
    project-type: folder
    views:
      - delivery_pipeline:
          filter-executors: false
          filter-queue: false
          folder: true
          components:
            - name: Deploy
              first-job: app-deploy-test
          name: myapp-deploy-pipeline
          build-view-title: "MyApp Deploy Pipeline"
          number-of-pipelines: 3
          show-aggregated-pipeline: true
          number-of-columns: 1
          sorting: none
          show-avatars: false
          update-interval: 1
          allow-manual-triggers: true
          show-total-buildtime: true
          allow-rebuild: true
          allow-pipeline-start: true
      - all:
         folder: true
         name: All

This also uses the folder plugin to make sure the views end up in separate files. It currently needs a slightly patched jenkins-job-builder with this patch applied. Putting this here since I hit jenkins-job-builder-addons mostly by accident. Once jenkins-job-builder catched up I'll look into packaging this for Debian.

ansible is a great tool for deployments. While it doesn't ship that many unit tests it comes with heaps of integration tests that can be run using:

git submodule update --init
. hacking/env-setup
cd tests/integration
make

after cloning the repo from here. However when working on individual parts one often only wants to test a single role. This can be done via:

git submodule update --init
. hacking/env-setup
cd tests/integration
ansible-playbook -e @integration_config.yml -i"testhost," -c local test_filters.yml

when e.g. working on some new filers. Just putting it here since I just found myself digging this out the second time.

Debian LTS November was the seventh month I contributed to Debian LTS under the Freexian umbrella. In total I spent ten hours working on:

• krb5: Released DLA-340-1 after applying a fix to the work done in October.
• nss: Provided patches for CVE-2015-7181 and CVE-2015-7182 for squeeze, wheezy and jessie and released DLA-354-1 for squeeze-lts for that. Since nss is subject to frequent security updates I wanted to spend less time doing "did I break the whole thing" testing so I added some autopkg tests that do basic certificate handling and make sure we can link a simple binary against the dev package (#806207). We also discussed using the same nss version in all suites on the debian-lts list. To test that path I worked on creating backports for Jessie/Wheezy/Squeeze of the current sid version. So far I tested the general feasibility and some simple upgrades. To be able to detect breackage more easily I enabled the internal test suite resulting in #806639. I also filed #806634 to ease backporting in the future. Packages are collected here with the sources in this (temporary) git repo. Work on this will continue in December.

Other Debian stuff

• There was no git-buildpackge upload in November but the git repository already collected some fixes and new features like building RPMs in clean chroots using mock. Patches for this were provided by Tzafrir Cohen. I've been hoping we get #775118 fixed in mock so it becomes actually useful in Debian before uploading a new gbp version. There's also now an example for README.source for gbp managed source packages. I'd be nice to have patches to further improve this. The main reason for not uploading new gbp yet is that I said at Debconf that I'll improve error recovery in gbp import-orig with the next or next next upload and that would be 0.7.1 latest. I did no get around to continue on this since Debconf though.
• I supplied a patch for pbuilder's #802800 to allow building with -g
• Uploaded libvirt 1.2.21 to unstable.

Debian LTS October was the sixth month I contributed to Debian LTS under the Freexian umbrella. In total I spent four hours working on:

• krb5: I applied patches for CVE-2015-2697 and CVE-2015-2695. The DLA-340-1 was released on November though since one of the patches was incomplete.

Besides that I did CVE triaging of 16 CVEs to check if and how they affect oldoldstable security as part of my LTS front desk work. I also added some very basic indentation support to our CVE/list Emacs major-mode on non LTS time. Other Debian stuff

• I've released git-buildpackage 0.7.0 with lots of updates, most notably more complete rpm support, a git-pbuilder update and documentation updates. This release has patches from 9 different contributors, thanks a lot!
• Uploaded libvirt 1.2.21~rc1 to experimental, submitted a patch to fix running autopkg tests in pbuilder (#802379) and fixed RC bug #802281 in Icedove.
• I've updated cl2vcs, a CGI to link commit IDs in the debian/changelog to the VCS, to 0.0.4 fixing some bugs that showed up after I updated the hosting machine to Jessie as well as support for the [commitid1,commitd2,commit3,...] format when grouping commits. (SSL certificate of the server is CAcert signed)
• At Halloween five Debian aficionados met for Hacking Erpel 1 (aka HEPL1) in Erpel (link goes to German Wikipedia) between Bonn and Koblenz. Some details are here. We're aiming for more of these events on a more frequent basis (HEPL0 being back in 2013) so if you're somewhere from that area and want to join us next time just subscribe to the new mailing list (in German, SSL certificate of the server is CAcert signed).

Debian LTS August was the fifth month I contributed to Debian LTS under the Freexian umbrella. In total I spent eight hours working on:

• glibc: I fixed four security issues resulting in DLA-316-1 mostly by backporting fixes from current Git. This involved some issues that didn't have a CVE assigned yet. Salvatore gave a nice summary on how to handle these.
• nss: The backport of the fixes for CVE-2015-2721 and CVE-2015-2730 resulted in DLA-315-1.

Besides that I did CVE triaging of 9 CVEs to check if and how they affect oldoldstable security as part of my LTS front desk work. Other Debian work I finally sent out the summary of the 8th Debian Groupware Meeting we had in the Linuxhotel earlier this year and gave a short talk about Debian at the Zarafa Tour in the Netherlands.

Debian LTS August was the fourth month I contributed to Debian LTS under the Freexian umbrella. In total I spent four hours working on:

• pykerberors: Fixed a regression in DLA-265-1 affecting the default parameters of checkPassword(). This resulted in DLA-265-2.
• wordpress: Craig Small updated wordpress to fix CVE-2015-2213 CVE-2015-5622 CVE-2015-5731 CVE-2015-5732 and CVE-2015-5734. I did some testing and released DLA-294-1.

Besides that I did CVE triaging of 9 CVEs to check if and how they affect oldoldstable security as part of my LTS front desk work. Debconf 15 was a great opportunity to meet some of the other LTS contributors in person and to work on some of my packages: Git-buildpackage git-buildpackage gained buildpackage-rpm based on the work by Markus Lehtonnen and merging of mock support is hopefully around the corner. Debconf had two gbp skill shares hosted by dkg and a BoF by myself. A summary is here. Integration with dgit as (discussed with Ian) looks doable and I have parts of that on my todo list as well. Among other things gbp import-orig gained a --merge-mode option so you can replace the upstream branches verbatim on your packaging branch but keep the contents of the debian/ directory. Libvirt I prepared an update for libvirt in Jessie fixing a crasher bug, QEMU error reporting. apparmor support now works out of the box in Jessie (thanks to intrigeri and Felix Geyer for that). Speaking of apparmor I learned enough at Debconf to use this now by default so we hopefully see less breackage in this area when new libvirt versions hit the archive. The bug count wen't down quiet a bit and we have a new version of virt-manager in unstable now as well. As usual I prepared the RC candidates of libvirt 1.2.19 in experimental and 1.2.19 final is now in unstable.

July was the third month I contributed to Debian LTS under the Freexian umbrella. In total I spent eight hours working on:

• lighttpd: Fixed CVE-2014-3566 by adding a option to disable SSLv3 (ssl.use-sslv3) compatible with the option added to newer versions. This resulted in DLA-282-1.
• nss: research on CVE-2015-2730 and CVE-2015-2721. Work on the former is still ongoing since the bug#1125025 referenced in the mozilla advisory has restricted access and I did not manage to get it opened yet. I found commits in uptream's mercurial that reference the bug though and the comitter was nice enough to answer questions. The backported changes for CVE-2015-2721 involve lots of changes to the internal state machine when accepting SSL connections so I'm currently looking into backporting the test suite for that on non LTS time.

Besides that I did CVE triaging of 11 CVEs to check if and how they affect oldoldstable security as part of my LTS front desk work.

June was the second month I contributed to Debian LTS under the Freexian umbrella. In total I spent ten hours working on:

• libwmf: research on CVE-2015-4588 and CVE-2015-0848. This resulted in DLA-253-1. RedHat's Bug#1227243 was a great resource here.
• librack-ruby: research on CVE-2015-3225. This resulted in DLA-254-1.

Besides that I did CVE triaging of 17 CVEs to check if and how they affect oldoldstable security. The information provided by the Security team on these issues in data/CVE/list is an awesome help here. So I tried to be as verbose when triaging CVEs that weren't looked at for Wheezy or Jessie yet. On non LTS time I patched our lts-cve-triage tool to allow to skip packages that are already in dla-needed.txt. This avoids wasting time on CVEs that were already triaged.