Markus Koschany: My Free Software Activities in August 2020
Welcome to gambaru.de. Here is my monthly report (+ the first week in September) that covers what I have been doing for Debian. If you re interested in Java, Games and LTS topics, this might be interesting for you.
Debian Games
- I packaged a new upstream release of teeworlds, the well-known 2D multiplayer shooter with cute characters called tees to resolve a Python 2 bug (although teeworlds is actually a C++ game). The update also fixed a severe remote denial-of-service security vulnerability, CVE-2020-12066. I prepared a patch for Buster and will send it to the security team later today.
- I sponsored updates of mgba, a Game Boy Advance emulator, for Ryan Tandy, and osmose-emulator for Carlos Donizete Froes.
- I worked around a RC GCC 10 bug in megaglest by compiling with -fcommon.
- Thanks to Gerardo Ballabio who packaged a new upstream version of galois which I uploaded for him.
- Also thanks to Reiner Herrmann and Judit Foglszinger who fixed a regression (crash) in monsterz due to the earlier port to Python 3. Reiner also made fans of supertuxkart happy by packaging the latest upstream release version 1.2.
- I packaged new upstream versions of jboss-modules, libpdfbox2-java and intellij-annotations.
- I was contacted by the upstream maintainer of privacybadger, a privacy addon for Firefox and Chromium, who dislikes the idea of having a stable and unchanging version in Debian stable releases. Obviously I can t really do much about it although I believe the release team would be open-minded for regular point updates of browser addons though. However I don t intend to do regular updates for all of my packages in stable unless there is a really good reason to do so. At the moment I m willing to make an exception for ublock-origin and https-everywhere because I feel these addons should be core browser functionality anyway. I talked about this on our Debian Mozilla Extension Maintainers mailinglist and it seems someone is interested to take over privacybadger and prepare regular stable point updates. Let s see how it turns out.
- Finally this month saw the release of ublock-origin 1.29.0 and the creation of two different browser-specific binary packages for Firefox and Chromium. I have talked about it before and I believe two separate packages for ublock-origin are more aligned to upstream development and make the whole addon easier to maintain which benefits users, upstream and maintainers.
- imlib2, an image library, and binaryen also got updated this month.
- DLA-2303-1. Issued a security update for libssh fixing 1 CVE.
- DLA-2327-1. Issued a security update for lucene-solr fixing 1 CVE.
- DLA-2369-1. Issued a security update for libxml2 fixing 8 CVE.
- Triaged CVE-2020-14340, jboss-xnio as not-affected for Stretch.
- Triaged CVE-2020-13941, lucene-solr as no-dsa because the security impact was minor.
- Triaged CVE-2019-17638, jetty9 as not-affected for Stretch and Buster.
- squid3: I backported the patches for CVE-2020-15049, CVE-2020-15810, CVE-2020-15811 and CVE-2020-24606 from squid 4 to squid 3.
- ELA-271-1. Issued a security update for squid3 fixing 19 CVE. Most of the work was already done before ELTS started, only the patch for CVE-2019-12529 had to be adjusted for the nettle version in Jessie.
- ELA-273-1. Issued a security update for nss fixing 1 CVE.
- ELA-276-1. Issued a security update for libjpeg-turbo fixing 2 CVE.
- ELA-277-1. Issued a security update for graphicsmagick fixing 1 CVE.
- ELA-279-1. Issued a security update for imagemagick fixing 3 CVE.
- ELA-280-1. Issued a security update for libxml2 fixing 4 CVE.