Here is my monthly update covering what I have been doing in the free software world during June 2021 (previous month):
As part of my role of being the assistant Secretary of the Open Source Initiative and a board director of Software in the Public Interest, I attended their respective monthly meetings. As outlined in last months, my term on the OSI board has been extended due to the discovery of a vulnerability in OSI's recent election — as a result, the 2021 election will be re-run to ensure transparency of the process.
Updated my django-email-from-template library, releasing versions 2.4.0 and 2.4.1 in order incorporate a number of changes from Robin to stop Django from escaping HTML special characters in email subject & plaintext bodies [...] and to correct a typo [...].
Reproducible Builds
The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during compilation processes. The project is proud to be a member project of the Software Freedom Conservancy. Conservancy acts as a corporate umbrella allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.
This month, I:
-
Kept isdebianreproducibleyet.com up to date. [...]
-
Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
-
Drafted, published and publicised our monthly report.
-
Attended the first of our newly-returned IRC meetings.
-
Updated the main Reproducible Builds website and documentation to:
- Use an ellipsis [...] and drop a full stop [...] to clarify 'more items' links.
- Update the link and logo to Google Open Source Security Team. [...]
- Reduce the amount of bold text on the homepage. [...]
- Document the non-reproducibility arising from abbreviated Git hashes depending on the number of total objects in a Git repository. [...]
-
Updated the try.diffoscope.org service to reflect that they were acquired by the Iomart Group. [...]
Debian uploads
-
4.0.29-1— New upstream release (release notes).4.0.30-1— New upstream release (release notes).4.0.31-1— New upstream release (release notes).
-
bfs(2.2.1-1) — New upstream release. -
redisearch(1:1.2.2-4) — Ensure that Redis module file has executable permissions, otherwise theredis-serverservice will refuse to start. (#989385)
Debian LTS
This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project. This included:
-
Investigating and triaging
apache2(CVE-2019-17567, etc.),bundler(CVE-2020-36327),ffmpeg,htmldoc,isync(CVE-2021-3578),jetty9(CVE-2021-28169),libupnp(CVE-2021-28302,)nettle(CVE-2021-3580),openjpeg2,redis,ruby2.3&runc(CVE-2021-30465). -
Frontdesk duties, responding to developer questions, reviewing others' packages, participating in mailing list discussions, etc., as well as attending our monthly meeting and other administrativa.
-
Issuing DLA 2676-1 and ELA 440-1 to address two issues in Django, the Python-based web development framework: the first pertained to a potential directory traversal issue, and the second was related to the incorrect parsing of IP addresses.
-
It was discovered that there was an XML External Entity (XXE) issue in
libjdom2-java, a library for reading and manipulating XML documents. Attackers could have caused a denial of service attack via a specially-crafted HTTP request. I therefore issued DLA 2696-1 and ELA 449-1 to fix this issue.
You can find out more about the project via the following video: