[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LTS report for January


Here's my report for January.

## sbuild regression

My first stop this month was to notice a problem with sbuild from
buster running on jessie chroots ([bug #920227][]). After discussions
on IRC, where fellow Debian Developers basically fabricated me a patch
on the fly, I sent [merge request #5][] which was promptly accepted
and should be part of the next upload.

 [merge request #5]: https://salsa.debian.org/debian/sbuild/merge_requests/5
 [bug #920227]: https://bugs.debian.org/920227

## systemd

I again worked a bit on systemd. I marked [CVE-2018-16866][] as not
affecting jessie, because the vulnerable code was introduced in later
versions. I backported fixes for [CVE-2018-16864][] and
[CVE-2018-16865][] and published the resulting package as
[DLA-1639-1][], after doing some smoke-testing.

I still haven't gotten the courage to dig back in the large backport
of `tmpfiles.c` required to fix [CVE-2018-6954][].

 [CVE-2018-16864]: https://security-tracker.debian.org/tracker/CVE-2018-16864
 [CVE-2018-16865]: https://security-tracker.debian.org/tracker/CVE-2018-16865
 [CVE-2018-16866]: https://security-tracker.debian.org/tracker/CVE-2018-16866
 [DLA-1639-1]: https://lists.debian.org/20190123042620.GA4173@curie.anarc.at
 [CVE-2018-6954]: https://security-tracker.debian.org/tracker/CVE-2018-6954

## tiff review

I did a quick review of the fix for [CVE-2018-19210][] [proposed
upstream][] which seems to have brought upstream's attention back to
the issue and finally merge the fix.

 [CVE-2018-19210]: https://security-tracker.debian.org/tracker/CVE-2018-19210
 [proposed upstream]: https://gitlab.com/libtiff/libtiff/merge_requests/47

## Enigmail EOL

After [reflecting on the issue][] one last time, I decided to mark
Enigmail as EOL in jessie, which involved an upload of
debian-security-support to jessie ([DLA-1657-1][]), unstable and a

 [stable-pu]: https://bugs.debian.org/921117
 [DLA-1657-1]: https://lists.debian.org/87sgx72z6a.fsf@curie.anarc.at
 [reflecting on the issue]: https://lists.debian.org/87tvi0cw99.fsf@curie.anarc.at

## DLA / website work

I worked again on fixing the LTS workflow with the DLAs on the main
website. Reminder: hundreds of DLAs are missing from the website ([bug #859122][]) 
and we need to figure out a way to automate the import of
newer ones ([bug #859123][]).

The details of my work are in [this post][] but basically, I readded a
bunch more DLAs to the MR and got some good feedback from the www team
(in [MR #47][]). There's still some work to be done on the DLA parser,
although I have merged my own improvements ([MR #46][]) as I felt they
had been sitting for review long enough.

Next step is to deal with noise like PGP signatures correctly and
thoroughly review the proposed changes.

While I was in the webmaster's backyard, I tried to help with a few
things by merging a [LTS errata][] and a [paypal integration note][]
although the latter ended up being a mistake that was reverted. I also
rejected some issues ([MR #13][], [MR #15][]) during a quick triage.

 [bug #859122]: https://bugs.debian.org/859122
 [bug #859123]: https://bugs.debian.org/859123
 [this post]: [🔎] 87o97v2vt1.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87o97v2vt1.fsf@curie.anarc.at
 [MR #47]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/47
 [MR #46]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/46>
 [LTS errata]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/40
 [paypal integration note]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/39
 [MR #15]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/15
 [MR #13]: https://salsa.debian.org/webmaster-team/webwml/merge_requests/13

## phpMyAdmin review

After reading this [email from Lucas Kanashiro][], I [reviewed][]
[CVE-2018-19968][] and reviewed and tested [CVE-2018-19970][].

 [reviewed]: [🔎] 87imy32tlu.fsf@curie.anarc.at">https://lists.debian.org/[🔎] 87imy32tlu.fsf@curie.anarc.at
 [email from Lucas Kanashiro]: https://lists.debian.org/c2fbedd3-436c-0497-c987-69fa5b2137d9@riseup.net
 [CVE-2018-19970]: https://security-tracker.debian.org/tracker/CVE-2018-19970
 [CVE-2018-19968]: https://security-tracker.debian.org/tracker/CVE-2018-19968

Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.            - Lucius Annaeus Seneca (65 AD)

Attachment: signature.asc
Description: PGP signature

Reply to: