Debian LTS and ELTS - August 2020
Here is my transparent report for my work on the Debian Long Term Support
(LTS) and Debian
Extended Long Term Support (ELTS), which extend the security
support for past Debian releases, as a paid contributor.
In August, the monthly sponsored hours were split evenly among
contributors depending on their max availability - I was assigned
21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS
(out of my 20 max; all done).
We had a Birds of a Feather videoconf
session
at DebConf20, sadly with varying quality for participants (from
very good to unusable), where we shared the first results of the
LTS survey.
There were also discussions about evaluating our security
reactivity, which proved surprisingly hard to estimate (neither
CVE release date and criticality metrics are accurate nor easily
available), and about when it is appropriate to use public naming
in procedures.
Interestingly ELTS gained new supported packages, thanks to a new
sponsor -- so far I'd seen the opposite, because we were close to
the EOL.
As always, there were opportunities to de-dup work through mutual
cooperation with the Debian Security team, and LTS/ELTS similar
updates.
ELTS - Jessie
- Fresh build VMs
- rails/redmine: investigate issue,
initially no-action as it can't be reproduced on Stretch and
isn't supported in Jessie; follow-up
when it's supported again
- ghostscript: global triage: identify upstream fixed version,
distinguish CVEs fixed within a single patch, bisect
non-reproducible CVEs, reference missing commit (including at MITRE)
- ghostscript: fix 25 CVEs, security upload ELA-262-1
- ghostscript: cross-check against the later DSA-4748-1 (almost
identical)
- software-properties: jessie triage: mark back for update, at
least for consistency with Debian Stretch and Ubuntu (all
suites)
- software-properties: security upload ELA-266-1
- qemu: global triage: update status and
patch/regression/reproducer links for 6 pending CVEs
- qemu: jessie triage: fix 4 'unknown' lines for qemu following
changes in package attribution for XSA-297, work continue in
September
LTS - Stretch
- sane-backends: global triage: sort and link patches for 7 CVEs
- sane-backends: fix dep-8 test and notify the
maintainer,
- sane-backends: security upload DLA-2332-1
- ghostscript: security upload DLA
2335-1 (cf. common ELTS work)
- ghostscript: rebuild ("give back") on armhf, blame armhf, get
told it was a concurrency / build system issue -_-'
- software-properties: security upload DLA
2339-1 (cf. common ELTS work)
- wordpress: global triage: reference regression for
CVE-2020-4050
- wordpress: stretch triage: update past CVE status, work
continues in September with probably an upstream upgrade 4.7.5
-> 4.7.18
- nginx: cross-check my July update against the later DSA-4750-1
(same fix)
- DebConf BoF + IRC follow-up
Documentation/Scripts
--
https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_August_2020/
Reply to: