Utkarsh Gupta: FOSS Activites in March 2021
Here s my (eighteenth) monthly update about the activities I ve done in the F/L/OSS world.
Debian
This was my 27th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a bit exhausting; lots of moving parts. With the financial year ending, it was even more crazy, with me running around to banks, CA, et al.
Debian
This was my 27th month of active contributing to Debian.
I became a DM in late March 2019 and a DD on Christmas 19! \o/
This month was a bit exhausting; lots of moving parts. With the financial year ending, it was even more crazy, with me running around to banks, CA, et al.
Anyway, with now working on Ubuntu full-time, I did little of Debian this month. Here are the following things I worked on:
Uploads and bug fixes:
- polybar (3.5.5-1) - New upstream version, v3.5.5.
- ruby-http-parser (1.2.1-5) - Disable tests causing FTBFS on s390x architecture.
- debian-security-support (1:11+2021.03.19) - Fix for bug #984539: dpkg hook should never fail.
- Filed bug #985314 against asterisk (systemd misconfiguration) and added a patch as well.
- Filed bug #985421 against at (add DEP8 tests) and added a patch as well.
Other $things:
- Attended the Debian LTS team meeting.
- Mentoring for newcomers.
- Moderation of -project mailing list.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eighteenth month as a Debian LTS and ninth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 39.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
- Issued DLA 2580-1, fixing CVE-2021-21311, for adminer.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
- Issued DLA 2581-1, fixing CVE-2021-27803, for wpa.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
- Issued DLA 2585-1, fixing CVE-2020-13848, for libupnp.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
- Issued DLA 2589-1, fixing CVE-2020-26519 and CVE-2021-3407, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u6.
- Issued DLA 2593-1, fixing bug #962596, for ca-certificates.
For Debian 9 stretch, these problems have been fixed in version 20200601~deb9u2.
- Issued DLA 2589-2, fixing regression caused by DLA 2589-1, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
- Issued DLA 2598-1, fixing CVE-2020-25097, for squid3.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
- Issued DLA 2599-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 9 stretch, these problems have been fixed in version 2.6.0+dfsg1-4+deb9u2.
- Issued DLA 2601-1, fixing CVE-2021-3429, for cloud-init.
For Debian 9 stretch, these problems have been fixed in version 0.7.9-2+deb9u1.
- Issued DLA 2558-2, fixing regression caused by DLA 2558-1, for xterm.
For Debian 9 stretch, these problems have been fixed in version 327-2+deb9u2.
- Released debian-security-support to unstable via Holger to fix bug #984539.
ELTS CVE Fixes and Announcements:
- Issued ELA 374-1, fixing CVE-2021-27803, for wpa.
For Debian 8 jessie, these problems have been fixed in version 2.3-1+deb8u13.
- Issued ELA 375-1, fixing CVE-2021-3410, for libcaca.
For Debian 8 jessie, these problems have been fixed in version 0.99.beta19-2+deb8u2.
- Issued ELA 376-1, fixing CVE-2020-25638, for libhibernate3-java.
For Debian 8 jessie, these problems have been fixed in version 3.6.10.Final-3+deb8u1.
- Issued ELA 382-1, fixing CVE-2020-25097, for squid3.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u3.
- Issued ELA 385-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 8 jessie, these problems have been fixed in version 2.5.3+dfsg-2+deb8u2.
- Issued ELA 363-2, fixing regression caused by ELA 363-1, for xterm.
For Debian 8 jessie, these problems have been fixed in version 312-2+deb8u2.
Other (E)LTS Work:
- Front-desk duty from 01-03 until 07-03 for ELTS and then from 29-03 until 04-04 for both LTS and ELTS.
- Triaged wpa,
python-aiohttp,
spip,
wpa,
qemu,
tomcat7,
tomcat8,
grub2,
mupdf,
openssh,
tiff,
spice,
pillow,
xmlgraphics-commons,
batik,
libupnp,
ca-certificates,
salt,
squid3,
shibboleth-sp2,
courier-authlib,
cloud-init,
spamassassin,
openssl,
libcaca, and
openjpeg2.
- Marked CVE-2021-21330/python-aiohttp as not-affected for stretch.
- Marked CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27778, CVE-2020-27749, CVE-2020-27748, CVE-2020-25647, CVE-2020-25632, CVE-2020-25631, and CVE-2020-14372, affecting grub2, as ignored for stretch and jessie.
- Marked CVE-2020-27842/openjpeg2 as no-dsa for jessie.
- Marked CVE-2020-27843/openjpeg2 as no-dsa for jessie.
- Marked CVE-2021-28041/openssh as not-affect for jessie.
- Marked CVE-2020-3552 3,4 /tiff as no-dsa for jessie.
- Marked CVE-2021-20201/spice as no-dsa for jessie.
- Marked CVE-2020-11988/xmlgraphics-commons as postponed for jessie.
- Marked CVE-2020-11987/batik as postponed for jessie.
- Marked CVE-2020-12695/libupnp as no-dsa for stretch.
- Marked CVE-2021-25122/tomcat7 as not-affected for stretch.
- Marked CVE-2021-25329/tomcat7 as ignored for stretch.
- Marked CVE-2021-28116/squid3 as postponed for stretch and jessie.
- Marked CVE-2021-3449/openssl as not-affected for stretch.
- Document extra notes for grub2 for LTS and co-ordinate with the sec-team.
- Document extra notes for pillow about piled-up issues in jessie.
- Issued DLA-2593-1 for ca-certificates on Microsoft s request; co-ordinating w/ them.
- Co-ordinating w/ maintainer of courier-authlib for stretch and jessie update.
- Fixing build failures of ELTS security tracker and re-ordering entries in data/CVE-EXTENDED-LTS/list file.
- Answer queries of dupondje and mikap about openssl on IRC; and it being not-affected for stretch.
- Help review the status of CVE-2021-3121/golang-github-gogo-protobuf-dev for Ola.
- Co-ordinating w/ Noah for cloud-init and setuptools.
- Auto EOL ed mongodb, linux, guacamole-client, node-xmlhttprequest, newlib, neutron, privoxy, glpi, and zabbix for jessie.
- Attended monthly meeting for Debian LTS.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Until next time.
:wq
for today.
- polybar (3.5.5-1) - New upstream version, v3.5.5.
- ruby-http-parser (1.2.1-5) - Disable tests causing FTBFS on s390x architecture.
- debian-security-support (1:11+2021.03.19) - Fix for bug #984539: dpkg hook should never fail.
- Filed bug #985314 against asterisk (systemd misconfiguration) and added a patch as well.
- Filed bug #985421 against at (add DEP8 tests) and added a patch as well.
Other $things:
- Attended the Debian LTS team meeting.
- Mentoring for newcomers.
- Moderation of -project mailing list.
Debian (E)LTS
Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.
And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).
This was my eighteenth month as a Debian LTS and ninth month as a Debian ELTS paid contributor.
I was assigned 60.00 hours for LTS and 39.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
- Issued DLA 2580-1, fixing CVE-2021-21311, for adminer.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
- Issued DLA 2581-1, fixing CVE-2021-27803, for wpa.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
- Issued DLA 2585-1, fixing CVE-2020-13848, for libupnp.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
- Issued DLA 2589-1, fixing CVE-2020-26519 and CVE-2021-3407, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u6.
- Issued DLA 2593-1, fixing bug #962596, for ca-certificates.
For Debian 9 stretch, these problems have been fixed in version 20200601~deb9u2.
- Issued DLA 2589-2, fixing regression caused by DLA 2589-1, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
- Issued DLA 2598-1, fixing CVE-2020-25097, for squid3.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
- Issued DLA 2599-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 9 stretch, these problems have been fixed in version 2.6.0+dfsg1-4+deb9u2.
- Issued DLA 2601-1, fixing CVE-2021-3429, for cloud-init.
For Debian 9 stretch, these problems have been fixed in version 0.7.9-2+deb9u1.
- Issued DLA 2558-2, fixing regression caused by DLA 2558-1, for xterm.
For Debian 9 stretch, these problems have been fixed in version 327-2+deb9u2.
- Released debian-security-support to unstable via Holger to fix bug #984539.
ELTS CVE Fixes and Announcements:
- Issued ELA 374-1, fixing CVE-2021-27803, for wpa.
For Debian 8 jessie, these problems have been fixed in version 2.3-1+deb8u13.
- Issued ELA 375-1, fixing CVE-2021-3410, for libcaca.
For Debian 8 jessie, these problems have been fixed in version 0.99.beta19-2+deb8u2.
- Issued ELA 376-1, fixing CVE-2020-25638, for libhibernate3-java.
For Debian 8 jessie, these problems have been fixed in version 3.6.10.Final-3+deb8u1.
- Issued ELA 382-1, fixing CVE-2020-25097, for squid3.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u3.
- Issued ELA 385-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 8 jessie, these problems have been fixed in version 2.5.3+dfsg-2+deb8u2.
- Issued ELA 363-2, fixing regression caused by ELA 363-1, for xterm.
For Debian 8 jessie, these problems have been fixed in version 312-2+deb8u2.
Other (E)LTS Work:
- Front-desk duty from 01-03 until 07-03 for ELTS and then from 29-03 until 04-04 for both LTS and ELTS.
- Triaged wpa,
python-aiohttp,
spip,
wpa,
qemu,
tomcat7,
tomcat8,
grub2,
mupdf,
openssh,
tiff,
spice,
pillow,
xmlgraphics-commons,
batik,
libupnp,
ca-certificates,
salt,
squid3,
shibboleth-sp2,
courier-authlib,
cloud-init,
spamassassin,
openssl,
libcaca, and
openjpeg2.
- Marked CVE-2021-21330/python-aiohttp as not-affected for stretch.
- Marked CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27778, CVE-2020-27749, CVE-2020-27748, CVE-2020-25647, CVE-2020-25632, CVE-2020-25631, and CVE-2020-14372, affecting grub2, as ignored for stretch and jessie.
- Marked CVE-2020-27842/openjpeg2 as no-dsa for jessie.
- Marked CVE-2020-27843/openjpeg2 as no-dsa for jessie.
- Marked CVE-2021-28041/openssh as not-affect for jessie.
- Marked CVE-2020-3552 3,4 /tiff as no-dsa for jessie.
- Marked CVE-2021-20201/spice as no-dsa for jessie.
- Marked CVE-2020-11988/xmlgraphics-commons as postponed for jessie.
- Marked CVE-2020-11987/batik as postponed for jessie.
- Marked CVE-2020-12695/libupnp as no-dsa for stretch.
- Marked CVE-2021-25122/tomcat7 as not-affected for stretch.
- Marked CVE-2021-25329/tomcat7 as ignored for stretch.
- Marked CVE-2021-28116/squid3 as postponed for stretch and jessie.
- Marked CVE-2021-3449/openssl as not-affected for stretch.
- Document extra notes for grub2 for LTS and co-ordinate with the sec-team.
- Document extra notes for pillow about piled-up issues in jessie.
- Issued DLA-2593-1 for ca-certificates on Microsoft s request; co-ordinating w/ them.
- Co-ordinating w/ maintainer of courier-authlib for stretch and jessie update.
- Fixing build failures of ELTS security tracker and re-ordering entries in data/CVE-EXTENDED-LTS/list file.
- Answer queries of dupondje and mikap about openssl on IRC; and it being not-affected for stretch.
- Help review the status of CVE-2021-3121/golang-github-gogo-protobuf-dev for Ola.
- Co-ordinating w/ Noah for cloud-init and setuptools.
- Auto EOL ed mongodb, linux, guacamole-client, node-xmlhttprequest, newlib, neutron, privoxy, glpi, and zabbix for jessie.
- Attended monthly meeting for Debian LTS.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Until next time.
:wq
for today.
I was assigned 60.00 hours for LTS and 39.00 hours for ELTS and worked on the following things:
LTS CVE Fixes and Announcements:
- Issued DLA 2580-1, fixing CVE-2021-21311, for adminer.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
- Issued DLA 2581-1, fixing CVE-2021-27803, for wpa.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
- Issued DLA 2585-1, fixing CVE-2020-13848, for libupnp.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
- Issued DLA 2589-1, fixing CVE-2020-26519 and CVE-2021-3407, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u6.
- Issued DLA 2593-1, fixing bug #962596, for ca-certificates.
For Debian 9 stretch, these problems have been fixed in version 20200601~deb9u2.
- Issued DLA 2589-2, fixing regression caused by DLA 2589-1, for mupdf.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
- Issued DLA 2598-1, fixing CVE-2020-25097, for squid3.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
- Issued DLA 2599-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 9 stretch, these problems have been fixed in version 2.6.0+dfsg1-4+deb9u2.
- Issued DLA 2601-1, fixing CVE-2021-3429, for cloud-init.
For Debian 9 stretch, these problems have been fixed in version 0.7.9-2+deb9u1.
- Issued DLA 2558-2, fixing regression caused by DLA 2558-1, for xterm.
For Debian 9 stretch, these problems have been fixed in version 327-2+deb9u2.
- Released debian-security-support to unstable via Holger to fix bug #984539.
ELTS CVE Fixes and Announcements:
- Issued ELA 374-1, fixing CVE-2021-27803, for wpa.
For Debian 8 jessie, these problems have been fixed in version 2.3-1+deb8u13.
- Issued ELA 375-1, fixing CVE-2021-3410, for libcaca.
For Debian 8 jessie, these problems have been fixed in version 0.99.beta19-2+deb8u2.
- Issued ELA 376-1, fixing CVE-2020-25638, for libhibernate3-java.
For Debian 8 jessie, these problems have been fixed in version 3.6.10.Final-3+deb8u1.
- Issued ELA 382-1, fixing CVE-2020-25097, for squid3.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u3.
- Issued ELA 385-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 8 jessie, these problems have been fixed in version 2.5.3+dfsg-2+deb8u2.
- Issued ELA 363-2, fixing regression caused by ELA 363-1, for xterm.
For Debian 8 jessie, these problems have been fixed in version 312-2+deb8u2.
Other (E)LTS Work:
- Front-desk duty from 01-03 until 07-03 for ELTS and then from 29-03 until 04-04 for both LTS and ELTS.
- Triaged wpa,
python-aiohttp,
spip,
wpa,
qemu,
tomcat7,
tomcat8,
grub2,
mupdf,
openssh,
tiff,
spice,
pillow,
xmlgraphics-commons,
batik,
libupnp,
ca-certificates,
salt,
squid3,
shibboleth-sp2,
courier-authlib,
cloud-init,
spamassassin,
openssl,
libcaca, and
openjpeg2.
- Marked CVE-2021-21330/python-aiohttp as not-affected for stretch.
- Marked CVE-2021-20233, CVE-2021-20225, CVE-2020-27779, CVE-2020-27778, CVE-2020-27749, CVE-2020-27748, CVE-2020-25647, CVE-2020-25632, CVE-2020-25631, and CVE-2020-14372, affecting grub2, as ignored for stretch and jessie.
- Marked CVE-2020-27842/openjpeg2 as no-dsa for jessie.
- Marked CVE-2020-27843/openjpeg2 as no-dsa for jessie.
- Marked CVE-2021-28041/openssh as not-affect for jessie.
- Marked CVE-2020-3552 3,4 /tiff as no-dsa for jessie.
- Marked CVE-2021-20201/spice as no-dsa for jessie.
- Marked CVE-2020-11988/xmlgraphics-commons as postponed for jessie.
- Marked CVE-2020-11987/batik as postponed for jessie.
- Marked CVE-2020-12695/libupnp as no-dsa for stretch.
- Marked CVE-2021-25122/tomcat7 as not-affected for stretch.
- Marked CVE-2021-25329/tomcat7 as ignored for stretch.
- Marked CVE-2021-28116/squid3 as postponed for stretch and jessie.
- Marked CVE-2021-3449/openssl as not-affected for stretch.
- Document extra notes for grub2 for LTS and co-ordinate with the sec-team.
- Document extra notes for pillow about piled-up issues in jessie.
- Issued DLA-2593-1 for ca-certificates on Microsoft s request; co-ordinating w/ them.
- Co-ordinating w/ maintainer of courier-authlib for stretch and jessie update.
- Fixing build failures of ELTS security tracker and re-ordering entries in data/CVE-EXTENDED-LTS/list file.
- Answer queries of dupondje and mikap about openssl on IRC; and it being not-affected for stretch.
- Help review the status of CVE-2021-3121/golang-github-gogo-protobuf-dev for Ola.
- Co-ordinating w/ Noah for cloud-init and setuptools.
- Auto EOL ed mongodb, linux, guacamole-client, node-xmlhttprequest, newlib, neutron, privoxy, glpi, and zabbix for jessie.
- Attended monthly meeting for Debian LTS.
- Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
- General and other discussions on LTS private and public mailing list.
Until next time.
:wq
for today.
For Debian 9 stretch, these problems have been fixed in version 4.2.5-3+deb9u2.
For Debian 9 stretch, these problems have been fixed in version 2:2.4-1+deb9u9.
For Debian 9 stretch, these problems have been fixed in version 1:1.6.19+git20160116-1.2+deb9u1.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u6.
For Debian 9 stretch, these problems have been fixed in version 20200601~deb9u2.
For Debian 9 stretch, these problems have been fixed in version 1.9a+ds1-4+deb9u7.
For Debian 9 stretch, these problems have been fixed in version 3.5.23-5+deb9u6.
For Debian 9 stretch, these problems have been fixed in version 2.6.0+dfsg1-4+deb9u2.
For Debian 9 stretch, these problems have been fixed in version 0.7.9-2+deb9u1.
For Debian 9 stretch, these problems have been fixed in version 327-2+deb9u2.
- Issued ELA 374-1, fixing CVE-2021-27803, for wpa.
For Debian 8 jessie, these problems have been fixed in version 2.3-1+deb8u13. - Issued ELA 375-1, fixing CVE-2021-3410, for libcaca.
For Debian 8 jessie, these problems have been fixed in version 0.99.beta19-2+deb8u2. - Issued ELA 376-1, fixing CVE-2020-25638, for libhibernate3-java.
For Debian 8 jessie, these problems have been fixed in version 3.6.10.Final-3+deb8u1. - Issued ELA 382-1, fixing CVE-2020-25097, for squid3.
For Debian 8 jessie, these problems have been fixed in version 3.5.23-5+deb8u3. - Issued ELA 385-1, fixing CVE-2021-28963, for shibboleth-sp2.
For Debian 8 jessie, these problems have been fixed in version 2.5.3+dfsg-2+deb8u2. - Issued ELA 363-2, fixing regression caused by ELA 363-1, for xterm.
For Debian 8 jessie, these problems have been fixed in version 312-2+deb8u2.