Debian LTS and ELTS - July 2020

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Debian LTS and ELTS - July 2020
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 4 Aug 2020 11:21:08 +0200
Message-id: <[🔎] 0e3d821b-a69f-322c-638d-53582bc09220@beuc.net>

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In July, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 25.25h for LTS (out of 30 max; all done) and 13.25h for ELTS (out of 20 max; all done).

We shifted suites: welcome Stretch LTS and Jessie ELTS. The LTS->ELTS switch happened at the start of the month, but the oldstable->LTS switch happened later (after finalizing and flushing proposed-updates to a last point release), causing some confusion but nothing major.

ELTS - Jessie

New local build setup
ELTS buildds: request timezone harmonization
Reclassify in-progress updates from jessie-LTS to jessie-ELTS
python3.4: finish preparing update, security upload ELA 239-1
net-snmp: global triage: bisect CVE-2019-20892 to identify affected version, jessie/stretch not-affected
nginx: global triage: clarify CVE-2013-0337 status; locate CVE-2020-11724 original patch and regression tests, update MITRE
nginx: security upload ELA-247-1 with 2 CVEs

LTS - Stretch

Reclassify in-progress/needed updates from stretch/oldstable to stretch-LTS
rails: upstream security: follow-up on CVE-2020-8163 (RCE) on upstream bug tracker and create pull request for 4.x (merged), hence getting some upstream review
rails: global security: continue coordinating upload in multiple Debian versions, prepare fixes for common stretch/buster vulnerabilities in buster
rails: security upload DLA-2282 fixing 3 CVEs
python3.5: security upload DLA-2280-1 fixing 13 pending non-critical vulnerabilities, and its test suite
nginx: security upload DLA-2283 (cf. common ELTS work)
net-snmp: global triage (cf. common ELTS work)
public IRC monthly team meeting
reach out to clarify the intro from last month's report, following unsettled feedback during meeting

Documentation/Scripts

ELTS/README.how-to-release-an-update: fix typo
ELTS buildd: attempt to diagnose slow perfs, provide comparison with Debian and local builds
LTS/Meetings: improve presentation
SourceOnlyUpload: clarify/de-dup pbuilder doc
LTS/Development: reference build logs URL, reference proposed-updates issue during dists switch, reference new-upstream-versioning discussion, multiple jessie->stretch fixes and clean-ups
LTS/Development/Asan: drop wheezy documentation
Warn about jruby mis-triage
Provide feedback for ksh/CVE-2019-14868
Provide feedback for condor update
LTS/TestsSuites/nginx: test with new request smuggling test cases

https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_July_2020/

Reply to:

Prev by Date: Re: ruby-rails update destroy redmine issue number linking
Next by Date: Re: Bug#966544: snmpd: extend option broken after update
Previous by thread: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by thread: Debian LTS BoF
Index(es):
- Date
- Thread