Here is my monthly update covering what I have been doing in the free software world during July 2023 (previous month).
One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.
This month, I:
Opened pull requests to make the build reproducible in:
Categorised a large number of packages and issues in the Reproducible Builds
Drafted, published and publicised our monthly report for June 2013.
I made the following changes to diffoscope, including preparing and uploading versions
- Don't include file size in image metadata (it is, at best, distracting and it is already in the directory metadata). [...]
- Move to using
assert_diffin ICO and JPEG tests. [...]
- Temporarily mark some Android-related as XFAIL due to Debian bugs #1040941 and #1040916. [...]
- Attempt compatibility with
- Fix "test skipped" reason generation in the case of a version outside of the required range. [...]
- Mark that
3.0-1) — New upstream release.
1.2.0-1— New upstream release.
1.2.0-2— Rename package to match new
3.2.20-1— New upstream security release.
4.2.3-1— New upstream security release.
7.0.12-1— New upstream security release.
7.2~rc3-1— New upstream security release.
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.
Investigated and triaged
Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.
Issued DLA 3494-1 because it was discovered that there was an issue in
ruby-doorkeeper, an OAuth2 provider for Ruby on Rails applications. Doorkeeper automatically processed authorization requests without user consent for public clients that have been previously approved, but public clients are inherently vulnerable to impersonation as their identity cannot be assured.
Issued DLA 3498-1 and ELA-904-1 for the popular Domain Name Server (DNS) server,
bind9. Shoham Danino, Anat Bremler-Barr, Yehuda Afek and Yuval Shavitt discovered that a flaw in the cache-cleaning algorithm used in
namedcan cause that
named's configured cache size limit can be significantly exceeded, potentially resulting in a denial of service attack.
Issued DLA 3500-1 as it was discovered that there was a potential denial of service attack in Django, the popular Python-based web development framework. The
URLValidatorclasses were subject to potential regular expression denial of service attacks via a very large number of domain name labels of emails and URLs. Updates for Debian bullseye and bookworm have been prepared and are forthcoming.
You can find out more about the Debian LTS project via the following video:
You can subscribe to new posts via email or RSS.