Free software activities in January 2024

Here is my monthly update covering what I have been doing in the free software world during January 2024 (previous month):

• IEEE Software announced that a paper that I co-authored with Dr. Stefano Zacchiroli has recently been awarded their ‘Best Paper’ award. (More info.)

• I merged a change from Alexandre Detiste to remove a dependency on the Six Python library in a Django library of mine. [...]

Reproducible Builds

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted a patch to fix a specific reproducibility issues in mumble.

• Drafted, published and publicised our monthly report.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

Elsewhere in our tooling, I made a number of changes to diffoscope, our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues, including preparing and uploading versions 254 and 255 to Debian.

Debian

• hiredis:

  • 1.2.0-5 — Upload 1.2 branch to Debian unstable (from experimental).
  • 1.2.0-6 — Temporarily allow timeout-related tests to fail.

• memcached (1.6.23-1) — New upstream release.

• python-django:

  • 4.2.9-1 — New upstream bugfix release.
  • 5.0.1-1 — New upstream bugfix release (to experimental).

• python-hiredis:

  • 2.3.2-1 — New upstream release and migrate to using dh_auto_test.
  • 2.3.2-2 — Don't use local version of libhiredis; use the system one. (#1057791)

• redis:

  • 7.0.15-1 — New [upstream 7.0.x security release]https://raw.githubusercontent.com/redis/redis/7.0/00-RELEASENOTES).
  • 7.2.4-1 — New upstream 7.2.x security release.

Elsewhere in Debian, I requested the removal of my aptfs package. (#1061331)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged coreutils (CVE-2024-0684), gnutls28 (CVE-2024-0553), golang-1.11 (CVE-2023-39326, CVE-2023-45285 & CVE-2023-45287), gpac (CVE-2023-50120, CVE-2024-0321 & CVE-2024-0322), gtkwave, mock (CVE-2023-6395), python-asyncssh (CVE-2023-48795), qemu (CVE-2023-1544 & CVE-2023-3354), spip (CVE-2024-23659), sympa (CVE-2021-46900) & trilead-ssh2 (CVE-2023-48795)

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc.

• Updated the Git workflow documentation. [...]

• Issued DLA 3715-1, as it was discovered that there was an injection attack in Jinja, a popular templating engine used in Python applications. It was possible to inject arbitrary HTML attributes into rendered HTML via the xmlattr filter, potentially leading to a Cross-Site Scripting (XSS) attack. It may also have been possible to bypass attribute validation checks if they were blacklist-based.

• Issued DLA 3716-1 for ruby-httparty, a web service library used in Ruby applications, because it was discovered that there was a HTTP header injection vulnerability. A remote, unauthenticated attacker could have provided a crafted filename parameter during multipart/form-data uploads which could have resulted in, for example, an attacker controlling filenames being written to disk.

• Uploaded Redis version 7.0.15-1~deb12u1 to Debian bookworm in order to address CVE-2023-41056.

• Issued DLA 3724-1 because it was discovered that there was a potential arbitrary code execution vulnerability in Pillow, a popular library for manipulating images used by Python applications.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.