Debian LTS and ELTS - July 2020
Here is my transparent report for my work on the Debian Long Term Support
(LTS) and Debian
Extended Long Term Support (ELTS), which extend the security
support for past Debian releases, as a paid contributor.
In July, the monthly sponsored hours were split evenly among
contributors depending on their max availability - I was assigned
25.25h for LTS (out of 30 max; all done) and 13.25h for ELTS (out
of 20 max; all done).
We shifted suites: welcome Stretch LTS and Jessie ELTS. The
LTS->ELTS switch happened at the start of the month, but the
oldstable->LTS switch happened later (after finalizing and
flushing proposed-updates to a last point release), causing some
confusion but nothing major.
ELTS - Jessie
- New local build setup
- ELTS buildds: request timezone harmonization
- Reclassify in-progress updates from jessie-LTS to jessie-ELTS
- python3.4: finish preparing update, security upload ELA
239-1
- net-snmp: global triage: bisect CVE-2019-20892 to identify
affected version, jessie/stretch not-affected
- nginx: global triage: clarify CVE-2013-0337 status; locate
CVE-2020-11724 original patch and regression tests, update MITRE
- nginx: security upload ELA-247-1
with 2 CVEs
LTS - Stretch
- Reclassify in-progress/needed updates from stretch/oldstable
to stretch-LTS
- rails: upstream security: follow-up on CVE-2020-8163 (RCE) on
upstream
bug tracker and create pull request
for 4.x (merged), hence getting some upstream review
- rails: global security: continue coordinating
upload in multiple Debian versions, prepare fixes
for common stretch/buster vulnerabilities in buster
- rails: security upload DLA-2282
fixing 3 CVEs
- python3.5: security upload DLA-2280-1
fixing 13 pending non-critical vulnerabilities, and its test
suite
- nginx: security upload DLA-2283
(cf. common ELTS work)
- net-snmp: global triage (cf. common ELTS work)
- public IRC monthly
team meeting
- reach out to clarify the intro from last month's report,
following unsettled feedback during meeting
Documentation/Scripts
- ELTS/README.how-to-release-an-update: fix typo
- ELTS buildd: attempt to diagnose slow perfs, provide
comparison with Debian and local builds
- LTS/Meetings:
improve presentation
- SourceOnlyUpload:
clarify/de-dup pbuilder doc
- LTS/Development:
reference build logs URL, reference proposed-updates issue
during dists switch, reference new-upstream-versioning
discussion, multiple jessie->stretch fixes and clean-ups
- LTS/Development/Asan:
drop wheezy documentation
- Warn about jruby mis-triage
- Provide feedback for ksh/CVE-2019-14868
- Provide feedback for condor
update
- LTS/TestsSuites/nginx:
test with new request smuggling test cases
https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_July_2020/
Reply to: