Debian LTS and ELTS - August 2020

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Debian LTS and ELTS - August 2020
From: Sylvain Beucler <beuc@beuc.net>
Date: Tue, 1 Sep 2020 13:03:56 +0200
Message-id: <[🔎] f5fe8c8c-466f-255c-e937-1ea0cb521bc0@beuc.net>

Here is my transparent report for my work on the Debian Long Term Support (LTS) and Debian Extended Long Term Support (ELTS), which extend the security support for past Debian releases, as a paid contributor.

In August, the monthly sponsored hours were split evenly among contributors depending on their max availability - I was assigned 21.75h for LTS (out of my 30 max; all done) and 14.25h for ELTS (out of my 20 max; all done).

We had a Birds of a Feather videoconf session at DebConf20, sadly with varying quality for participants (from very good to unusable), where we shared the first results of the LTS survey.

There were also discussions about evaluating our security reactivity, which proved surprisingly hard to estimate (neither CVE release date and criticality metrics are accurate nor easily available), and about when it is appropriate to use public naming in procedures.

Interestingly ELTS gained new supported packages, thanks to a new sponsor -- so far I'd seen the opposite, because we were close to the EOL.

As always, there were opportunities to de-dup work through mutual cooperation with the Debian Security team, and LTS/ELTS similar updates.

ELTS - Jessie

Fresh build VMs
rails/redmine: investigate issue, initially no-action as it can't be reproduced on Stretch and isn't supported in Jessie; follow-up when it's supported again
ghostscript: global triage: identify upstream fixed version, distinguish CVEs fixed within a single patch, bisect non-reproducible CVEs, reference missing commit (including at MITRE)
ghostscript: fix 25 CVEs, security upload ELA-262-1
ghostscript: cross-check against the later DSA-4748-1 (almost identical)
software-properties: jessie triage: mark back for update, at least for consistency with Debian Stretch and Ubuntu (all suites)
software-properties: security upload ELA-266-1
qemu: global triage: update status and patch/regression/reproducer links for 6 pending CVEs
qemu: jessie triage: fix 4 'unknown' lines for qemu following changes in package attribution for XSA-297, work continue in September

LTS - Stretch

sane-backends: global triage: sort and link patches for 7 CVEs
sane-backends: fix dep-8 test and notify the maintainer,
sane-backends: security upload DLA-2332-1
ghostscript: security upload DLA 2335-1 (cf. common ELTS work)
ghostscript: rebuild ("give back") on armhf, blame armhf, get told it was a concurrency / build system issue -_-'
software-properties: security upload DLA 2339-1 (cf. common ELTS work)
wordpress: global triage: reference regression for CVE-2020-4050
wordpress: stretch triage: update past CVE status, work continues in September with probably an upstream upgrade 4.7.5 -> 4.7.18
nginx: cross-check my July update against the later DSA-4750-1 (same fix)
DebConf BoF + IRC follow-up

Documentation/Scripts

Clarify/link salsa:lts-team/lts-extra-tasks against salsa:freexian-team/project-funding (description)
Historical analysis of our CVE fixes: check feasibility
webwml:find-missing-advisories: handle missing trailing slash, print DSA/DLA date, print affected package rather than committer
discussion on public naming (shaming?)
LTS/TestsSuites/sane-backends: test with more complex DEP-8/autopkgtest setup

--
https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_August_2020/

Reply to:

Next by Date: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Next by thread: Re: [Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for stretch LTS.
Index(es):
- Date
- Thread