Chris Lamb: Free software activities in April 2021
Here is my monthly update covering what I have been doing in the free software world during April 2021 (previous month):
Debian
Debian Long Term Support (LTS) This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project:
- Reviewed and merged two pull request from Michael K. to my django-slack library which provides a convenient wrapper between projects using the Django web development framework and the Slack chat platform. Michael's pull requests made Python 3.6+ a hard requirement (#102) and to run the tests against Python 3.9 (#103).
-
Made a "no-change" release of my
django-email-from-template
library to upload a Python wheel (.whl
) file to PyPI. [...]
- As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings. My term on the OSI board has been slightly extended due to the discovery of a vulnerability in OSI's recent election as a result, the 2021 election will be re-run to ensure transparency of the process.
-
Filed a pull request against
libsass-python
(a Python implementation of the Sass CSS preprocessor) in order to make the build reproducible. (#319)
- Interviewed the Ford Foundation's Michael Brennan and published the transcript on our website.
- Drafted, published and publicised our monthly report.
-
Filed an upstream pull request for
libsass-python
(a Python implementation of the Sass CSS preprocessor) in order to make the build reproducible. [... -
In Debian:
- Kept isdebianreproducibleyet.com up to date. [...]
- I also submitted 2 patches to fix specific reproducibility issues in pristine-lfs and rust-configparser.
-
Categorised a large number of packages and issues in the Reproducible Builds
notes.git
" repository.
-
Updated the main Reproducible Builds website and documentation:
- Highlight our mailing list on the Contribute. page [...]
- Add a noun (and drop an unnecessary full-stop) on the landing page. [...][...]
- Correct a reference to the
date
metadata attribute on reports, restoring the display of months on the homepage. [...] - Correct a typo of "instalment" within a previous news entry. [...]
- Added a conspicuous "draft" banner to unpublished blog posts in order to match the report draft banner. [...]
-
I also made the following changes to diffoscope, including uploading versions
172
and173
to Debian:
Debian
-
redis
(5:6.2.2-1
) (to experimental) New upstream release. -
python-django
:2.2.20-1
New upstream security release.3.2-1
(to experimental) New major upstream release (release notes).
-
hiredis
(1.0.0-2
) Build with SSL/TLS support (#987114), and overhaul various aspects of the packaging. -
mtools
(4.0.27-1
) New upstream release.
Debian Long Term Support (LTS) This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project:
-
Investigated and triaged
avahi
(CVE-2021-3468
),exiv2
(CVE-2021-3482
),file-roller
(CVE-2020-36314
),fluidsynth
(CVE-2021-28421
),gnuchess
(CVE-2021-30184
),gpac
(CVE-2021-28300
),imagemagick
(CVE-2021-20309
,CVE-2021-20243
),ircii
(CVE-2021-29376
),jetty9
(CVE-2021-28163
),libcaca
(CVE-2021-30498
,CVE-2021-30499
),libjs-handlebars
,libpano13
,libpodofo
(CVE-2021-30469
,CVE-2021-30470
,CVE-2021-30471
,CVE-2021-30472
),mediawiki
,mpv
(CVE-2021-30145
),nettle
(CVE-2021-20305
),nginx
(CVE-2020-36309
),nim
(CVE-2021-21372
,CVE-2021-21373
,CVE-2021-21374
),node-glob-parent
(CVE-2020-28469
),openexr
(CVE-2021-3474
),python-django-registration
(CVE-2021-21416
),qt4-x11
(CVE-2021-3481
),qtsvg-opensource-src
(CVE-2021-3481
),ruby-kramdown
,scrollz
(CVE-2021-29376
),syncthing
(CVE-2021-21404
),thunderbird
(CVE-2021-23991
,CVE-2021-23992
,CVE-2021-23993
) &wordpress
(CVE-2021-29447
). -
Issued DLA 2620-1 to address a cross-site scripting (XSS) vulnerability in
python-bleach
, a whitelist-based HTML sanitisation library. - Issued DLA 2622-1 and ELA 402-1 as it was discovered that there was a potential directory traversal issue in Django, the popular Python-based web development framework. The vulnerability could have been exploited by maliciously crafted filenames. However, the upload handlers built into Django itself were not affected. (#986447)
-
Jan-Niklas Sohn discovered that there was an input validation failure in the X.Org display server. Insufficient checks on the lengths of the XInput extension's
ChangeFeedbackControl
request could have lead to out of bounds memory accesses in the X server. These issues could have led to privilege escalation for authorised clients, particularly on systems where the X server is running as a privileged user. I, therefore, issued both DLA 2627-1 and ELA 405-1 to address this problem. - Frontdesk duties, reviewing others' packages, participating in mailing list discussions, etc., as well as attending our monthly meeting.