In March 2025 I've worked on the below listed packages for Freexian LTS/ELTS [1]. This was my first official month of LTS/ELTS work (after being onboarded last month). I thus had to investigate some efforts in getting up to speed with all the procedures but I have not counted that overhead in my work. Many thanks to Freexian and our sponsors [2] for providing this opportunity! LTS: I worked on libaws, libmodbus, opensaml and mercurial. libaws: - investigating enabling testsuite, but found not to be viable. - Set up project file to be able to test the reproducer for CVE-2024-55581 and shared it on the freexian lts list for anyone interested in reproducing. - Published debian/bullseye branch and debian/20.2+deb11u1 tag in official maintainer repository and and uploaded package to security-master (targeting bullseye-security) - Published DLA-4080-1 libmodbus: - Reproduced CVE-2022-0367 according to details in upstream github issue. - Backported upstream commits needed for fixing outstanding CVEs. - Published debian/bullseye and tag in official maintainer repo and uploaded to security-master (targeting bullseye-security) - Published DLA-4084-1 opensaml: - forked maintainer repo to salsa.debian.org/lts-team/packages - cherry-picked maintainers patch from bookworm (stable) into bullseye (oldstable) branch. - set up CI according to lts-team instructions. - uploaded to security-master (targeting bullseye-security) - Published DLA-4093-1 mercurial: - Backported patches from bookworm (stable) to bullseye (oldstable) - Set up test/reprodure environment based on apache in a chroot and reproduced the issue using example cross-site scripting (XSS) and verified the fixed version of the package on bullseye resolved the problem. - Published debian/bullseye branch and tag in official maintainer repository and uploaded to security-master (targeting bullseye-security) - Published DLA-4094-1 ELTS: I worked on mercurial and opensaml. mercurial/buster,stretch: - Most of my time spent on preparing mercurial/buster, which built locally but failed to build on ELTS buildds. - Asked for help from ELTS collaborators and Jochen Sprickerhof identified the problem was related to changes between python2.7 2.7.16-2+deb10u4 and 2.7.16-2+deb10u5. - Published wip/buster branch in official maintainer repo. - Discussions ongoing, but more work needed to finish this and help welcome! opensaml/buster: - Not yet listed in ela-needed.txt and discussions on #debian-lts (IRC) concluded that it probably should be and I've reached out to FD. - Backported patches and uploaded to extended-lts (targeting buster-security). The package built fine, so should be ready for migration when we decide to release it. - Work published in debian/buster branch and debian/3.2.0-2+deb11u1 tag to lts-team/packages on salsa. - This means the technical work is basically done, but some administrative tasks remain once FD confirms. I intend to migrate, and issue ELA once I have the ela-needed.txt confirmation. Agreed to pick up the ELTS work on libmodbus from arturo (see their montly report for march). Finally I want to take the chance to thank the people who have helped me out and made me feel like LTS/ELTS work is truely a team effort. Thanks Santiago for giving me a very warm and welcoming onboarding! Thanks Daniel, Jochen and others for helpful feedback on the mailing lists. Thanks pochu, utkarsh2102 and others for help on IRC. Regards, Andreas Henriksson [1] https://www.freexian.com/lts/ [2] https://www.freexian.com/lts/debian/#sponsors
Attachment:
signature.asc
Description: PGP signature