Free software activities in July 2024

Here is my monthly update covering what I have been doing in the free software world during July 2024 (previous month):

• Updated my installation-birthday script that, upon installation, will celebrate each 'birthday' of your system by automatically sending a message to the local system administrator in order to a fix an issue in determining the installation date via tune2fs. [...]

Reproducible Builds

One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. However, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into ostensibly secure software during the various compilation and distribution processes.

This month, I:

• Kept isdebianreproducibleyet.com up to date. [...]

• Submitted the following patches to fix reproducibility-related toolchain issues within Debian:

  • mccode: Please make the build (mostly) reproducible. (#1076507)

  • setuptools: Please make the output reproducible. (#1077601)

• I also submitted 4 patches to fix specific reproducibility issues in debcraft, meson-python, nautilus & pytest.

• Updated the 'Projects' page on our website to fix a potentially duplicate link. [...]

• Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.

• In our tooling, I made the following changes to diffoscope, including preparing and uploading versions 270 and 271 to Debian:

  • Ensure that the convert utility is from ImageMagick version 6.x. The command-line interface has seemingly changed with the 7.x series of ImageMagick. [...]
  • Factor out version detection in test_jpeg_image. [...]
  • Correct the import of the identify_version method after a refactoring change in a previous commit. [...]
  • Move away from using DSA OpenSSH keys in tests as support has been deprecated and removed in OpenSSH version 9.8p1. (#382)
  • Move to assert_diff in the test_openssh_pub_key packace. [...]
  • Update copyright years. [...]

• Drafted, published and publicised our monthly report.

Debian

Uploads

• memcached (1.6.29-1) — New upstream release

• python-django:

  • 4.2.14-1 — New upstream security release
  • 5.1~rc1-1 — New release candidate

• docbook-to-man (1:2.0.0-47) — Fix -Wint-conversion-related build failure with GCC 14. (#1074918)

• lastpass-cli (1.5.0-2) — Fix build failure with GCC 14. (#1075129)

• installation-birthday (18) — Fix generation of candidate installation time via tune2fs. (#1075788)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

• Made a large number of changes to the bin/package-operations script, including a change to use requests.Session to speed up the script's interactions with Salsa, and added support to GitLab API pagination in order to fix an issue that was revealed by packages with many tags in their Git repository (e.g. samba).

• Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

• Issued ELA-1128-1 because two different vulnerabilities were discovered in Apache Axis, an XML-based web service framework for Java. In particular, this update fixed a cross-site scripting (XSS) attack as well as an issue in ServiceFactory.getService that allowed potentially dangerous lookup mechanisms which exposed applications to Denial of Service (DoS) and perhaps remote code execution.

• Issued ELA-1131-1 in order to mitigate an HTTP request smuggling vulnerability discovered in phpLDAPadmin, a web-based interface for administering Lightweight Directory Access Protocol (LDAP) servers.

• Issued ELA-1132-1 because a Cross-Site Scripting (XSS) vulnerability was discovered in the php-horde-mime-viewer package, a PHP library for parsing and displaying email messages encoded in the MIME format.

• Issued ELA-1139-1 as a potential remote code execution vulnerability was discovered in phpPgadmin, a web-based administration tool for the PostgreSQL database. This was an issue related to the deserialisation of untrusted data, which may have led to remote code execution because user-controlled data was passed directly to the PHP unserialize function.

You can find out more about the Debian LTS project via the following video:

You can subscribe to new posts via email or RSS.