Here is my monthly update covering what I have been doing in the free software world during June 2021 (previous month):
As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings. As outlined in last months, my term on the OSI board has been extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure transparency of the process.
django-email-from-template library, releasing versions
2.4.1 in order incorporate a number of changes from Robin to stop Django from escaping HTML special characters in email subject & plaintext bodies [...] and to correct a typo [...].
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes. The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
Drafted, published and publicised our monthly report.
Attended the first of our newly-returned IRC meetings.
Updated the main Reproducible Builds website and documentation to:
- Use an ellipsis [...] and drop a full stop [...] to clarify 'more items' links.
- Update the link and logo to Google Open Source Security Team. [...]
- Reduce the amount of bold text on the homepage. [...]
- Document the non-reproducibility arising from abbreviated Git hashes depending on the number of total objects in a Git repository. [...]
2.2.1-1) — New upstream release.
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project. This included:
Investigating and triaging
Frontdesk duties, responding to developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as attending our monthly meeting and other administrativa.
Issuing DLA 2676-1 and ELA 440-1 to address two issues in Django, the Python-based web development framework: the first pertained to a potential directory traversal issue, and the second was related to the incorrect parsing of IP addresses.
It was discovered that there was an XML External Entity (XXE) issue in
libjdom2-java, a library for reading and manipulating XML documents. Attackers could have caused a denial of service attack via a specially-crafted HTTP request. I therefore issued DLA 2696-1 and ELA 449-1 to fix this issue.
You can find out more about the project via the following video:
You can subscribe to new posts via email or RSS.