Here is my monthly update covering what I have been doing in the free software world during July 2022 (previous month):
-
Reviewed and merged a number of patches by Peter Law for django-enumfield-ng, a library of mine for the Django web application framework to support type-safe enumeration fields.
-
I finished my final month as a directors of Software in the Public Interest, and I wish the organisation all the best in the future. This month, however, I participated in the usual monthly meeting.
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
-
Submitted 3 patches to fix specific reproducibility issues in
gappa,libshumate&zeal. -
Kept
isdebianreproducibleyet.comup to date. [...] -
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
-
Drafted, published and publicised our monthly report.
diffoscope
Elsewhere in our tooling, I made the following changes to diffoscope, including preparing and uploading versions 218, 219 and 220 to Debian:
-
New features:
- Support Haskell 9.x series files. [...]
-
Bug fixes:
-
Output improvements:
- Improve output of Markdown and reStructuredText to use code blocks with highlighting. [...]
-
Codebase improvements:
Debian
-
7.0.3-1— New upstream release.7.0.4-1— New upstream security release.
-
python-django(4.0.6-1) — New upstream security release. -
4.3.4-1— New upstream release.4.3.4-2— Addpython3-pytest-asyncioas a requirement for the0002-python3autopkgtest.4.3.4-3— Skip a bunch of known-to-fail tests when running the autopkgtests, especially ones that require third-party Redis modules such as BLOOM.
-
bfs(2.6.1-1) — New upstream release. -
hiredis(1.0.2-2) — Disable a test that fails under Redis 7.x. -
python-fakeredis(1.7.1-1) — New upstream release to fix compatibility with Redis 7.x.
Debian LTS
This month I have worked 12 hours on the Extended LTS project. The regular LTS was inactive during July, as stretch moved to extended (ELTS) support, but Debian buster remains under standard Debian security support through August.
-
Issued ELA-651-1 as a potential read-out-of-bounds vulnerability was discovered in
gsasl, a library for performing SASL authentication. The attack could have been performed by a malicious (authenticated) GSS-API client. -
Issued ELA-649-1 for
python-oslo.utilsto prevent exposure of sensitive admin passwords due to poor handling of credential masking. -
Issued ELA-648-1 because a potential cross-site scripting (XSS) vulnerability was discovered in
ruby-rails-html-sanitizer, a library to clean (or "sanitize") HTML for rendering within Ruby on Rails web applications. -
Issued ELA-646-1 as an arbitrary code execution vulnerability was discovered in
python-babel, a library for internationalizing Python applications. -
Issued ELA-645-1. There was a stack buffer overflow vulnerability in
pjproject, a multimedia communication library used in various VOIP frameworks.pjprojectnow maintains a maximum attribute count to prevent this from happening. -
Issued ELA-644-1 as a certificate verification bypass vulnerability was discovered in
python-pysaml2, a library for exchanging SAML authentication tokens. -
Issued ELA-640-1 because a SQL injection vulnerability was discovered in Django, the popular Python-base web development framework.
-
Issued ELA-638-1. This was because a file traversal vulnerability was discovered in
ruby-sinatra, a popular web server often used with Ruby on Rails. The package now validates that any expanded paths matchpublic_dirwhen serving static files. -
Frontdesk duties, responding to any user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
You can find out more about the LTS project through the following video: