Free software activities in December 2024

Here is my monthly update covering what I have been doing in the free software world during December 2024 (previous month).

Reproducible Builds

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• In Debian:

  • Filed a bug against python3-sphinx to track a regression in datetime handling. (#1090724)

  • Kept isdebianreproducibleyet.com up to date. […]

  • I submitted a number of patches to fix specific reproducibility issues, such as ones in pyorbital, python-pbcore, python-pbcore, etc.

• Drafted, published and publicised our monthly report for November 2024.

• Updated the main Reproducible Builds website and documentation, such as:

  • Make the landing page hero look nicer when the vertical height component of the viewport is restricted, not just the horizontal widith.
  • Rename the "Buy-in" page to "Why Reproducible Builds?" […]
  • Removing the top black border. […][…]

Elsewhere in our tooling, I made a number of changes to diffoscope, including preparing and uploading version 284 to Debian, such as updating the tests to support file 5.46 […] and simplifying tests_quines.py to simply use the assert_diff helper and not to mangle the test fixture within the code […].

Debian

Uploads

• memcached:

  • 1.6.33-1 — New upstream release.
  • 1.6.33-2 — Add liburi-perl to Suggests.
  • 1.6.34-1 — New upstream release.

• python-django:

  • 4.2.17-1 — New upstream security release.
  • 5.1.4-1 — New upstream security release.

• installation-birthday (20) — Add /etc/hostname to the list of candidate filename timestamps. Thanks to Colin Watson (cjwatson) for the suggestion.

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged ceph, ganglia-web (CVE-2024-52762 & CVE-2024-52763), golang-github-lucas-clemente-quic-go (CVE-2024-53259), gst-plugins-base1.0 (CVE-2024-47538, CVE-2024-47541, CVE-2024-47600, CVE-2024-47607, CVE-2024-47615 & CVE-2024-47835), node-postcss (CVE-2021-23566), php-laravel-framework, python-django, quart (CVE-2024-49767), ruby-sinatra, rust-idna (CVE-2024-12224) and ucf.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued DLA 3997-1 because it was discovered that there was a remotely exploitable vulnerability in php-laravel-framework, a popular web application framework written in PHP. When the register_argc_argv directive was set to on and users called a URL with a specially-crafted query string, they were able to change the environment used by the framework when handling the request.

• Issued DLA 4006-1 as it was discovered that there was a potential Denial of Service (DoS) vulnerability, in Django, a popular Python-based web development framework. The strip_tags() method and striptags template filter were subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.