Hello, Here's my report for January. ## sbuild regression My first stop this month was to notice a problem with sbuild from buster running on jessie chroots ([bug #920227][]). After discussions on IRC, where fellow Debian Developers basically fabricated me a patch on the fly, I sent [merge request #5][] which was promptly accepted and should be part of the next upload. [merge request #5]: https://salsa.debian.org/debian/sbuild/merge_requests/5 [bug #920227]: https://bugs.debian.org/920227 ## systemd I again worked a bit on systemd. I marked [CVE-2018-16866][] as not affecting jessie, because the vulnerable code was introduced in later versions. I backported fixes for [CVE-2018-16864][] and [CVE-2018-16865][] and published the resulting package as [DLA-1639-1][], after doing some smoke-testing. I still haven't gotten the courage to dig back in the large backport of `tmpfiles.c` required to fix [CVE-2018-6954][]. [CVE-2018-16864]: https://security-tracker.debian.org/tracker/CVE-2018-16864 [CVE-2018-16865]: https://security-tracker.debian.org/tracker/CVE-2018-16865 [CVE-2018-16866]: https://security-tracker.debian.org/tracker/CVE-2018-16866 [DLA-1639-1]: https://lists.debian.org/20190123042620.GA4173@curie.anarc.at [CVE-2018-6954]: https://security-tracker.debian.org/tracker/CVE-2018-6954 ## tiff review I did a quick review of the fix for [CVE-2018-19210][] [proposed upstream][] which seems to have brought upstream's attention back to the issue and finally merge the fix. [CVE-2018-19210]: https://security-tracker.debian.org/tracker/CVE-2018-19210 [proposed upstream]: https://gitlab.com/libtiff/libtiff/merge_requests/47 ## Enigmail EOL After [reflecting on the issue][] one last time, I decided to mark Enigmail as EOL in jessie, which involved an upload of debian-security-support to jessie ([DLA-1657-1][]), unstable and a [stable-pu][]. [stable-pu]: https://bugs.debian.org/921117 [DLA-1657-1]: https://lists.debian.org/87sgx72z6a.fsf@curie.anarc.at [reflecting on the issue]: https://lists.debian.org/87tvi0cw99.fsf@curie.anarc.at ## DLA / website work I worked again on fixing the LTS workflow with the DLAs on the main website. Reminder: hundreds of DLAs are missing from the website ([bug #859122][]) and we need to figure out a way to automate the import of newer ones ([bug #859123][]). The details of my work are in [this post][] but basically, I readded a bunch more DLAs to the MR and got some good feedback from the www team (in [MR #47][]). There's still some work to be done on the DLA parser, although I have merged my own improvements ([MR #46][]) as I felt they had been sitting for review long enough. Next step is to deal with noise like PGP signatures correctly and thoroughly review the proposed changes. While I was in the webmaster's backyard, I tried to help with a few things by merging a [LTS errata][] and a [paypal integration note][] although the latter ended up being a mistake that was reverted. I also rejected some issues ([MR #13][], [MR #15][]) during a quick triage. [bug #859122]: https://bugs.debian.org/859122 [bug #859123]: https://bugs.debian.org/859123 [this post]: [🔎] 87o97v2vt1.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87o97v2vt1.fsf@curie.anarc.at [MR #47]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/47 [MR #46]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/46> [LTS errata]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/40 [paypal integration note]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/39 [MR #15]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/15 [MR #13]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/13 ## phpMyAdmin review After reading this [email from Lucas Kanashiro][], I [reviewed][] [CVE-2018-19968][] and reviewed and tested [CVE-2018-19970][]. [reviewed]: [🔎] 87imy32tlu.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87imy32tlu.fsf@curie.anarc.at [email from Lucas Kanashiro]: https://lists.debian.org/c2fbedd3-436c-0497-c987-69fa5b2137d9@riseup.net [CVE-2018-19970]: https://security-tracker.debian.org/tracker/CVE-2018-19970 [CVE-2018-19968]: https://security-tracker.debian.org/tracker/CVE-2018-19968 -- Non qui parum habet, sed qui plus cupit, pauper est. It is not the man who has too little, but the man who craves more, that is poor. - Lucius Annaeus Seneca (65 AD)
Attachment:
signature.asc
Description: PGP signature