Report for LTS and ELTS activity for march 2003

To: debian-lts@lists.debian.org
Subject: Report for LTS and ELTS activity for march 2003
From: Bastien Roucariès <rouca@debian.org>
Date: Sat, 01 Apr 2023 19:50:19 +0000
Message-id: <[🔎] 3738734.1KsjCNhGM2@portable-bastien>

Hi,

Here is my public monthly report.

Thanks to our sponsors for making this possible, and to Freexian for
handling the offering.
https://www.freexian.com/services/debian-lts.html#sponsors

In march (my first month) I spend my time on LTS as
- creating the  right environment (pbuilder, tools) to do the backport correctly. 
- work on imagemagick fixing DLA-3357-1. This release fix CVE-2020-19667, CVE-2020-25665, CVE-2020-25666, CVE-2020-25674, CVE-2020-25675, CVE-2020-25676, CVE-2020-27560, CVE-2020-27750, CVE-2020-27751, CVE-2020-27754, CVE-2020-27756, CVE-2020-27757, CVE-2020-27758, CVE-2020-27759, CVE-2020-27760, CVE-2020-27761, CVE-2020-27762, CVE-2020-27763, CVE-2020-27764, CVE-2020-27765, CVE-2020-27766, CVE-2020-27767, CVE-2020-27768, CVE-2020-27769, CVE-2020-27770, CVE-2020-27771, CVE-2020-27772, CVE-2020-27773, CVE-2020-27774, CVE-2020-27775, CVE-2020-27776, CVE-2020-29599, CVE-2021-3574, CVE-2021-3596, CVE-2021-20224, CVE-2022-44267, CVE-2022-44268.
- This security update caused a regression in some perl packages due to overly restrictive hardening in a policy update (reading from /etc/ was forbidden). This hardening patch has been removed. ( DLA-3357-2)
- I work also on libreoffice DLA-3368-1 fixing CVE-2021-25636, CVE-2022-3140, CVE-2022-26305, CVE-2022-26306, CVE-2022-26307.
- I begin to work on apache2, particularly a new build time/autopkgtest test suite in order to avoid regression.

For ELTS:
- port fix for imagemagick from LTS to ELTS ELA-819-1: CVE-2017-18028 CVE-2020-27767 CVE-2021-3574 CVE-2021-20224 CVE-2022-44267
- found a hard to debug bug (thanks pochu, and bunk for help) on imagemagick. Imagemagick on ELTS FTBFS when pid of builder in > 1,000,000. 
I first think it was a regression so try a git bissect that fail due to PID becoming >1,000,000. This was a slow work due to build delay of imagemagick.
- I patched dnsmasq in order to fix remaining security bug. I begin to write a test suite for this package in order to avoid regression.
Unfortunately upstream does not have a test suite, even a basic unit test suite.

I want to specially thanks pochu for porting the salsa CI to LTS and ELTS.

Bastien

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Re: Triage status for a few old packages
Next by Date: LTS report for March 2023
Previous by thread: Re: Triage status for a few old packages
Next by thread: LTS report for March 2023
Index(es):
- Date
- Thread