Free software activities in January 2025

Here is my monthly update covering what I have been doing in the free software world during January 2025 (previous month):

• Merged a PR for my django-auto-one-to-one library to automatically create child model instances when a parent class is created in the Django web development framework. In particular, I helped apply a series of regression fixes from a previous change. [...][...]

Reproducible Builds

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted 6+ patches to fix specific reproducibility issues in kmetronome, parser, parser, rsync, rust-xh & wasistlos, etc.

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• Drafted, published and publicised our monthly report for December 2024.

diffoscope

In the Reproducible Builds tooling, however, I made the following changes to diffoscope, including preparing and uploading versions 285, 286 and 287 to Debian:

• Security fixes:

  • Validate the --css command-line argument to prevent a potential Cross-site scripting (XSS) attack. Thanks to Daniel Schmidt from SRLabs for the report. […]
  • Prevent XML entity expansion attacks. Thanks to Florian Wilkens from SRLabs for the report.. […][…]
  • Print a warning if we have disabled XML comparisons due to a potentially vulnerable version of pyexpat. […]

• Bug fixes:

  • Correctly identify changes to only the line-endings of files; don't mark them as Ordering differences only. […]
  • When passing files on the command line, don't call specialize(…) before we've checked that the files are identical or not. […]
  • Do not exit with a traceback if paths are inaccessible, either directly, via symbolic links or within a directory. […]
  • Don't cause a traceback if cbfstool extraction failed.. […]
  • Use the surrogateescape mechanism to avoid a UnicodeDecodeError (and a crash) when any decoding zipinfo output that is not UTF-8 compliant. […]

• Testsuite improvements:

  • Don't mangle newlines when opening test fixtures; we want them untouched. […]
  • Move to assert_diff in test_text.py. […]

• Misc improvements:

  • Drop unused subprocess imports. […][…]
  • Drop an unused function in iso9600.py. […]
  • Inline a call and check of Config().force_details; no need for an additional variable in this particular method. […]
  • Remove an unnecessary return value from the Difference.check_for_ordering_differences method. […]
  • Remove unused logging facility from a few comparators. […]
  • Update copyright years. […][…]

Lastly, strip-nondeterminism is our sister tool to remove specific non-deterministic results from a completed build. This month, I uploaded version 1.14.1-1 to Debian, making the following the changes as well:

• Clarify the --verbose and non --verbose output of bin/strip-nondeterminism so we don't imply we are normalizing files that we are not. […]

• Bump Standards-Version to 4.7.0. […]

Debian

Uploads

• bfs (4.0.5-1) — New upstream release.

• python-django:

  • 4.2.18-1 — New upstream security release.
  • 5.1.5-1 — New upstream security release.
  • 5.2~alpha1-1 — New upstream alpha release.

• redis:

  • 7.0.15-3 — New security release.
  • 7.2.5-3 — New security release. (To Debian experimental)

• xtrlock (2.16) — New release after the merge of a number of PRs:

  • Update the Makefile for other distributions. [...]
  • Add support for dropping process capabilities. [...]
  • Add the ability to 'force' locking in some situations. [...]

Debian LTS

This month I worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Investigated and triaged docker.io (CVE-2024-36623), logback (CVE-2024-12798 & CVE-2024-12801), nodejs (CVE-2025-23083 & CVE-2025-23085), nvidia-graphics-drivers-tesla-470 (CVE-2024-0131, CVE-2024-0147, CVE-2024-0149 & CVE-2024-0150), openimageio (CVE-2024-55192, CVE-2024-55193, CVE-2024-55194 & CVE-2024-55195), openssl (CVE-2024-13176), python-django (CVE-2024-56374), qtconnectivity-opensource-src (CVE-2025-23050), rsync etc.

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued both DLA 4030-1 and ELA 1306-1 because it was discovered that there was potential Denial of Service (DoS) vulnerability in Django, the Python-based web development framework. The lack of upper-bound limit enforcement in IPv6 validation could have led to a potential denial-of-service attack. The undocumented and private clean_ipv6_address and is_valid_ipv6_address functions were vulnerable, as was the GenericIPAddressField form field.

• Issued DLA 4016-1 and ELA 1294-1 together as it was discovered that there was a potential command-injection vulnerability was discovered in ucf, a tool to preserve user changes to config files.

• Issued DLA 4010-1 for python-django. The fix for CVE-2024-6923 in the python3.9 source package which was released as part of a suite of updates in DLA 3980-1 introduced safer processing of input in the email module to order to increase the security around email header injection attacks. This change inadvertedly broke sending emails when using lazy translation strings in the python-django package, however, resulting in the package no longer building from source. As the previous behaviour of Python's email module can be enabled by passing the strict=False flag, the python-django package now does so — Django detects and/or encodes newlines in its handling of outbound emails elsewhere.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.